base: Index | Files

package kms

import ""

Package kms implements a Keycrypt using AWS's KMS service and S3. Secrets are stored using the AWS-provided s3crypto package, which uses a KMS data key to perform client-side encryption and decryption of keys.

For each key stored, s3crypto retrieves a data encryption key which is derived from a master key stored securely in KMS's HSMs. KMS returns both an encrypted and a plaintext version of the data encryption key. The key is subsequently used to encrypt the keybundle and is then thrown away. The encrypted version of the key is stored together with the bundle.

Access to Amazon's KMS is controlled by IAM security policies.

When a bundle is retrieved, s3crypto asks KMS to decrypt the key that is stored with the bundle, which in turn is used to decrypt the bundle contents.


Package Files



var CredentialsChainVerboseErrors = false

CredentialsChainVerboseErrors is used to set aws.Config.CredentialsChainVerboseErrors when creating a kms session.

var DefaultRegion = "us-west-2"

DefaultRegion is used to set the the AWS region for looking up KMS keys.

type Crypt Uses

type Crypt struct {
    // contains filtered or unexported fields

Crypt implements a Keycrypt using Amazon's KMS and S3 services.

func New Uses

func New(sess *session.Session, id string) *Crypt

Create a new Keycrypt instance which uses Amazon's KMS to store key material securely.

func (*Crypt) Lookup Uses

func (c *Crypt) Lookup(name string) keycrypt.Secret

Package kms imports 11 packages (graph). Updated 2018-08-08. Refresh now. Tools for package owners. This is an inactive package (no imports and no commits in at least two years).