pbkdf2

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2024 License: MPL-2.0 Imports: 9 Imported by: 0

README

PBKDF passphrase key provider

[!WARNING] This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code.

This folder contains the code for the PBKDF2 passphrase key provider. The user can enter a passphrase and the key provider will generate []byte keys of a given length and will record the salt in the encryption metadata.

Configuration

You can configure this key provider by specifying the following options:

terraform {
    encryption {
        key_provider "pbkdf2" "myprovider" {
            passphrase = "enter a long and complex passphrase here"
            
            # Adapt the key length to your encryption method needs,
            # check the method documentation for the right key length
            key_length = 32
            
            # Provide the number of iterations that should be performed.
            # See https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
            # for recommendations
            iterations = 600000 
	
            # Pick the hashing function. Can be sha256 or sha512.
            hash_function = "sha512"
	        
            # Pick the salt length in bytes.
            salt_length = 32
        }
    }
}

Documentation

Overview

Package pbkdf2 contains a key provider that takes a passphrase and emits a PBKDF2 hash of the configured length.

Example (Decrypt)

This example is a bare-bones configuration for a static key provider. It is mainly intended to demonstrate how you can use parse configuration and construct a static key provider from it. 

Output:

225872367198760137e0a18580433447bbf578fbe2b87ff36aef3c175fe5709c

Index

Examples

Constants

View Source 
const (
	MinimumIterations       int = 200000
	MinimumPassphraseLength int = 16
)
View Source 
const (
	// DefaultSaltLength specifies the default salt length in bytes.
	DefaultSaltLength int = 32
	// DefaultIterations contains the default iterations to use. The number is set to the current recommendations
	// outlined here:
	// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
	DefaultIterations int = 600000
	// DefaultKeyLength is the default output length. We set it to the key length required by AES-GCM 256
	DefaultKeyLength int = 32
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	Passphrase   string           `hcl:"passphrase"`
	KeyLength    int              `hcl:"key_length,optional"`
	Iterations   int              `hcl:"iterations,optional"`
	HashFunction HashFunctionName `hcl:"hash_function,optional"`
	SaltLength   int              `hcl:"salt_length,optional"`
	// contains filtered or unexported fields
}

func (*Config) Build 

func (c *Config) Build() (keyprovider.KeyProvider, keyprovider.KeyMeta, error)

func (*Config) WithHashFunction 

func (c *Config) WithHashFunction(hashFunction HashFunctionName) *Config

WithHashFunction sets the hash function and returns the same config for chaining

func (*Config) WithIterations 

func (c *Config) WithIterations(iterations int) *Config

WithIterations sets the iterations and returns the same config for chaining

func (*Config) WithKeyLength 

func (c *Config) WithKeyLength(length int) *Config

WithKeyLength sets the key length and returns the same config for chaining

func (*Config) WithPassphrase 

func (c *Config) WithPassphrase(passphrase string) *Config

WithPassphrase adds the passphrase and returns the same config for chaining.

func (*Config) WithSaltLength 

func (c *Config) WithSaltLength(length int) *Config

WithSaltLength sets the salt length and returns the same config for chaining

type Descriptor 

type Descriptor interface {
	keyprovider.Descriptor

	TypedConfig() *Config
}

Descriptor provides TypedConfig on top of keyprovider.Descriptor.

func New 

func New() Descriptor

New creates a new PBKDF2 key provider descriptor.

type HashFunction 

type HashFunction func() hash.Hash

HashFunction is a provider of a hash.Hash.

type HashFunctionName 

type HashFunctionName string

HashFunctionName describes a hash function to use for PBKDF2 hash generation. While you could theoretically supply your own from outside the package, please don't do that. Include your hash function in this package. (Thanks Go for the lack of visibility constraints.) 

const (
	SHA256HashFunctionName  HashFunctionName = "sha256"
	SHA512HashFunctionName  HashFunctionName = "sha512"
	DefaultHashFunctionName HashFunctionName = SHA512HashFunctionName
)

func (HashFunctionName) Function 

func (h HashFunctionName) Function() HashFunction

Function returns the underlying hash function for the name.

func (HashFunctionName) Validate 

func (h HashFunctionName) Validate() error

Validate checks if the specified hash function name is valid.

type Metadata 

type Metadata struct {
	Salt         []byte           `json:"salt"`
	Iterations   int              `json:"iterations"`
	HashFunction HashFunctionName `json:"hash_function"`
	KeyLength    int              `json:"key_length"`
}

Metadata describes the metadata to be stored alongside the encrypted form.

Example 
Output:

The keys match!

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.