Documentation ¶
Overview ¶
Package kmsv2 transforms values for storage at rest using a Envelope v2 provider
Package kmsv2 transforms values for storage at rest using a Envelope v2 provider ¶
Package kmsv2 transforms values for storage at rest using a Envelope provider
Index ¶
- Constants
- Variables
- func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service) (value.Transformer, *kmsservice.EncryptResponse, []byte, error)
- func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, stateFunc StateFunc) value.Transformer
- func NewGRPCService(ctx context.Context, endpoint, providerName string, callTimeout time.Duration) (kmsservice.Service, error)
- type ErrCodeKeyID
- type State
- type StateFunc
Constants ¶
View Source
const ( // KMSAPIVersion is the version of the KMS API. KMSAPIVersion = "v2beta1" // KeyIDMaxSize is the maximum size of the keyID. KeyIDMaxSize = 1 * 1024 // 1 kB )
Variables ¶
View Source
var NowFunc = time.Now
NowFunc is exported so tests can override it.
Functions ¶
func GenerateTransformer ¶ added in v0.27.0
func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service) (value.Transformer, *kmsservice.EncryptResponse, []byte, error)
func NewEnvelopeTransformer ¶
func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, stateFunc StateFunc) value.Transformer
NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to the data items they encrypt.
func NewGRPCService ¶
func NewGRPCService(ctx context.Context, endpoint, providerName string, callTimeout time.Duration) (kmsservice.Service, error)
NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.
Types ¶
type ErrCodeKeyID ¶ added in v0.27.0
type ErrCodeKeyID string
func ValidateKeyID ¶ added in v0.27.0
func ValidateKeyID(keyID string) (ErrCodeKeyID, error)
ValidateKeyID tests the following: 1. The keyID is not empty. 2. The size of keyID is less than 1 kB.
type State ¶ added in v0.27.0
type State struct { Transformer value.Transformer EncryptedDEK []byte KeyID string Annotations map[string][]byte UID string ExpirationTimestamp time.Time // CacheKey is the key used to cache the DEK in transformer.cache. CacheKey []byte }
func (*State) ValidateEncryptCapability ¶ added in v0.27.0
Click to show internal directories.
Click to hide internal directories.