envcrypt

package module

v1.0.2 Latest Latest Go to latest Published: Dec 21, 2023 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/devries/envcrypt

Links

Open Source Insights

README ¶

envcrypt

Envelope encryption pipe commands using Cloud KMS

Introduction

This package creates two commands described below:

pgencrypt: An envelope encryption pipe which creates a random AES256 encryption key, encrypts that key using Google Cloud KMS, and then encrypts the input message using a GCM cipher with a random 12 byte nonce. The encrypted message is output in JSON format with the Cloud KMS encrypted key and the encrypted input file.
pgdecrypt: This command reverses the operation, using Cloud KMS to decrypt the AES256 key, then decrypting the corresponding message.

By default each command reads from STDIN and writes to STDOUT, but it is possible to use the "-i" and "-o" flags to read and write from output files.

You must set the environment variable KMS_KEYSPEC to the Cloud KMS keyspec in the form projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}.

Documentation ¶

Index ¶

func DecryptMessage(ctx context.Context, keyspec string, encMessage *EncodedMessage, w io.Writer) error
type EncodedMessage
- func EncryptMessage(ctx context.Context, keyspec string, message io.Reader) (*EncodedMessage, error)
type EnvelopeKey

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DecryptMessage ¶

func DecryptMessage(ctx context.Context, keyspec string, encMessage *EncodedMessage, w io.Writer) error

DecryptMessage takes a Cloud KMS keyspec, a pointer to an EncodedMessage, and writes the decrypted message to the Writer w, returning an error if any. keyspec is formated as project/{project_id}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}.

Types ¶

type EncodedMessage ¶

type EncodedMessage struct {
	EncryptedKey []byte `json:"encrypted_key,omitempty"`
	Ciphertext   []byte `json:"ciphertext,omitempty"`
}

EncodedMessage is a structure which containes an encrypted key as well as the encrypted ciphertext. It can be serialized to JSON.

func EncryptMessage ¶

func EncryptMessage(ctx context.Context, keyspec string, message io.Reader) (*EncodedMessage, error)

EncryptMessage encrypts the data from the message Reader using a random encryption key, and then encrypts that key using the GCP CloudKMS key represented by keyspec. keyspec should be in the format project/{project_id}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}. The function returns an EncodedMessage and an error if there is an error.

type EnvelopeKey ¶

type EnvelopeKey struct {
	PlainKey     []byte
	EncryptedKey []byte
}

EnvelopeKey contains both an unencrypted and encrypted version of the encryption key for a message.

Source Files ¶

View all Source files

util.go

Directories ¶

Path	Synopsis
cmd
pgdecrypt
pgencrypt

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL