kms

package

v0.4.1 Latest Latest Go to latest Published: Dec 13, 2023 License: MIT Imports: 17 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/godaddy/asherah

Links

Open Source Insights

Documentation ¶

Index ¶

type AWSKMS
- func NewAWS(crypto appencryption.AEAD, preferredRegion string, arnMap map[string]string) (*AWSKMS, error)
- func (m *AWSKMS) DecryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)
- func (m *AWSKMS) EncryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)
type AWSKMSClient
type KMS
type StaticKMS
- func NewStatic(key string, crypto appencryption.AEAD) (*StaticKMS, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AWSKMS ¶

type AWSKMS struct {
	Crypto   appencryption.AEAD
	Clients  []AWSKMSClient
	Registry metrics.Registry
}

AWSKMS implements the KeyManagementService interface and handles encryption/decryption in KMS.

func NewAWS ¶

func NewAWS(crypto appencryption.AEAD, preferredRegion string, arnMap map[string]string) (*AWSKMS, error)

NewAWS returns a new AWSKMS used for encrypting/decrypting keys with a master key.

func (*AWSKMS) DecryptKey ¶

func (m *AWSKMS) DecryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)

DecryptKey decrypts an encrypted byte slice and returns the unencrypted key. The preferred region provided in the config is tried first, if this fails the remaining regions are tried.

func (*AWSKMS) EncryptKey ¶

func (m *AWSKMS) EncryptKey(ctx context.Context, keyBytes []byte) ([]byte, error)

EncryptKey encrypts a byte slice in all supported regions and returns an envelope ready to store in metastore.

type AWSKMSClient ¶

type AWSKMSClient struct {
	KMS    KMS
	Region string
	ARN    string
}

AWSKMSClient contains a KMS client and region information used for encrypting a key in KMS.

type KMS ¶

type KMS interface {
	EncryptWithContext(aws.Context, *kms.EncryptInput, ...request.Option) (*kms.EncryptOutput, error)
	GenerateDataKeyWithContext(aws.Context, *kms.GenerateDataKeyInput, ...request.Option) (*kms.GenerateDataKeyOutput, error)
	DecryptWithContext(ctx aws.Context, input *kms.DecryptInput, opts ...request.Option) (*kms.DecryptOutput, error)
}

KMS is implemented by the client in the kms package from the AWS SDK. We only use a subset of methods defined below.

type StaticKMS ¶

type StaticKMS struct {
	Crypto appencryption.AEAD
	// contains filtered or unexported fields
}

StaticKMS is an in-memory static implementation of a KeyManagementService. NOTE: It should not be used in production and is for testing only!

func NewStatic ¶

func NewStatic(key string, crypto appencryption.AEAD) (*StaticKMS, error)

NewStatic constructs a new StaticKMS. The provided key MUST be be 32 bytes in length.

func (*StaticKMS) Close ¶ added in v0.1.5

func (s *StaticKMS) Close()

Close frees the memory locked by the static key. It should be called as soon as its no longer in use.

func (*StaticKMS) DecryptKey ¶

func (s *StaticKMS) DecryptKey(ctx context.Context, encKey []byte) ([]byte, error)

DecryptKey decrypts the encrypted byte slice using the master key.

func (*StaticKMS) EncryptKey ¶

func (s *StaticKMS) EncryptKey(_ context.Context, bytes []byte) ([]byte, error)

EncryptKey takes in an unencrypted byte slice and encrypts it with the master key. The returned value should then be inserted into the Metastore before being used.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL