Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Addr ¶
type Addr string
Addr is a type-alias for key provider address strings that identify a specific key provider configuration. The Addr is an opaque value. Do not perform string manipulation on it outside the functions supplied by the keyprovider package.
func NewAddr ¶
NewAddr creates a new Addr type from the provider and name supplied. The Addr is a type-alias for key provider address strings that identify a specific key provider configuration. You should treat the value as opaque and not perform string manipulation on it outside the functions supplied by the keyprovider package.
type Config ¶
type Config interface { // Build provides a key provider and an empty JSON-tagged struct to read the decryption metadata into. If the // configuration is invalid, it returns an error. // // If a key provider does not need metadata, it may return nil. Build() (KeyProvider, KeyMeta, error) }
Config is a struct annotated with HCL (and preferably JSON) tags that OpenTofu reads the user-provided configuration into. The Build function assembles the configuration into a usable key provider.
type Descriptor ¶
type Descriptor interface { // ID returns the unique identifier used when parsing HCL or JSON configs. ID() ID // ConfigStruct creates a new configuration struct pointer annotated with hcl tags. The Build() receiver on // this struct must be able to build a KeyProvider from the configuration: // // Common errors: // - Returning a struct without a pointer // - Returning a non-struct ConfigStruct() Config }
Descriptor is a high level description of a key provider.
type ErrInvalidConfiguration ¶
ErrInvalidConfiguration indicates that the key provider configuration is incorrect.
func (ErrInvalidConfiguration) Error ¶
func (e ErrInvalidConfiguration) Error() string
func (ErrInvalidConfiguration) Unwrap ¶
func (e ErrInvalidConfiguration) Unwrap() error
type ErrInvalidMetadata ¶
ErrInvalidMetadata indicates that the key provider has received an incorrect metadata and cannot decrypt.
func (ErrInvalidMetadata) Error ¶
func (e ErrInvalidMetadata) Error() string
func (ErrInvalidMetadata) Unwrap ¶
func (e ErrInvalidMetadata) Unwrap() error
type ErrKeyProviderFailure ¶
ErrKeyProviderFailure indicates a generic key provider failure.
func (ErrKeyProviderFailure) Error ¶
func (e ErrKeyProviderFailure) Error() string
func (ErrKeyProviderFailure) Unwrap ¶
func (e ErrKeyProviderFailure) Unwrap() error
type ID ¶
type ID string
ID is a type alias to make passing the wrong ID into a key provider harder.
type KeyMeta ¶
type KeyMeta any
KeyMeta is a type alias for a struct annotated with JSON tags to store. Its purpose is to store parameters alongside the encrypted data which are required to later provide a decryption key.
Key providers can use this to store, for example, a randomly generated salt value which is required to later provide the same decryption key.
type KeyProvider ¶
type KeyProvider interface { // Provide provides an encryption and decryption keys. If the process fails, it returns an error. // // The caller must pass in the same struct obtained from the Build function of the Config, with the decryption // metadata read in. If no decryption metadata is present, the caller must pass in the struct unmodified. Provide(decryptionMeta KeyMeta) (keysOutput Output, encryptionMeta KeyMeta, err error) }
KeyProvider is the usable key provider. The Provide function is responsible for creating both the decryption and encryption key, as well as returning the metadata to be stored.
type MetaStorageKey ¶
type MetaStorageKey string
MetaStorageKey signals the key under which the metadata for a specific key provider is stored.
type Output ¶
type Output struct { EncryptionKey []byte `hcl:"encryption_key" cty:"encryption_key" json:"encryption_key" yaml:"encryption_key"` DecryptionKey []byte `hcl:"decryption_key" cty:"decryption_key" json:"decryption_key" yaml:"decryption_key"` }
Output is the standardized structure a key provider must return when providing a key. It contains two keys because some key providers may prefer include random data (e.g. salt) in the generated keys and this salt will be different for decryption and encryption.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package pbkdf2 contains a key provider that takes a passphrase and emits a PBKDF2 hash of the configured length.
|
Package pbkdf2 contains a key provider that takes a passphrase and emits a PBKDF2 hash of the configured length. |
Package static contains a key provider that emits a static key.
|
Package static contains a key provider that emits a static key. |
Package xor contains a key provider that combines two other keys.
|
Package xor contains a key provider that combines two other keys. |