vault: github.com/hashicorp/vault/vault/seal/gcpckms Index | Files

package gcpckms

import "github.com/hashicorp/vault/vault/seal/gcpckms"

Index

Package Files

gcpckms.go

Constants

const (
    // General GCP values, follows TF naming conventions
    EnvGCPCKMSSealCredsPath = "GOOGLE_CREDENTIALS"
    EnvGCPCKMSSealProject   = "GOOGLE_PROJECT"
    EnvGCPCKMSSealLocation  = "GOOGLE_REGION"

    // CKMS-specific values
    EnvGCPCKMSSealKeyRing   = "VAULT_GCPCKMS_SEAL_KEY_RING"
    EnvGCPCKMSSealCryptoKey = "VAULT_GCPCKMS_SEAL_CRYPTO_KEY"
)
const (
    // GCPKMSEncrypt is used to directly encrypt the data with KMS
    GCPKMSEncrypt = iota
    // GCPKMSEnvelopeAESGCMEncrypt is when a data encryption key is generatated and
    // the data is encrypted with AESGCM and the key is encrypted with KMS
    GCPKMSEnvelopeAESGCMEncrypt
)

type GCPCKMSSeal Uses

type GCPCKMSSeal struct {
    // contains filtered or unexported fields
}

func NewSeal Uses

func NewSeal(logger log.Logger) *GCPCKMSSeal

func (*GCPCKMSSeal) Decrypt Uses

func (s *GCPCKMSSeal) Decrypt(ctx context.Context, in *physical.EncryptedBlobInfo) (pt []byte, err error)

Decrypt is used to decrypt the ciphertext.

func (*GCPCKMSSeal) Encrypt Uses

func (s *GCPCKMSSeal) Encrypt(ctx context.Context, plaintext []byte) (blob *physical.EncryptedBlobInfo, err error)

Encrypt is used to encrypt the master key using the the AWS CMK. This returns the ciphertext, and/or any errors from this call. This should be called after s.client has been instantiated.

func (*GCPCKMSSeal) Finalize Uses

func (s *GCPCKMSSeal) Finalize(_ context.Context) error

Finalize is called during shutdown. This is a no-op since GCPKMSSeal doesn't require any cleanup.

func (*GCPCKMSSeal) Init Uses

func (s *GCPCKMSSeal) Init(_ context.Context) error

Init is called during core.Initialize. No-op at the moment.

func (*GCPCKMSSeal) KeyID Uses

func (s *GCPCKMSSeal) KeyID() string

KeyID returns the last known key id.

func (*GCPCKMSSeal) SealType Uses

func (s *GCPCKMSSeal) SealType() string

SealType returns the seal type for this particular seal implementation.

func (*GCPCKMSSeal) SetConfig Uses

func (s *GCPCKMSSeal) SetConfig(config map[string]string) (map[string]string, error)

SetConfig sets the fields on the GCPCKMSSeal object based on values from the config parameter. Environment variables take precedence over values provided in the Vault configuration file (i.e. values in the `seal "gcpckms"` stanza).

Order of precedence for GCP credentials file: * GOOGLE_CREDENTIALS environment variable * `credentials` value from Value configuration file * GOOGLE_APPLICATION_CREDENTIALS (https://developers.google.com/identity/protocols/application-default-credentials)

type GCPKMSMechanism Uses

type GCPKMSMechanism uint32

GCPKMSMechanism is the method used to encrypt/decrypt in the autoseal

Package gcpckms imports 15 packages (graph) and is imported by 3 packages. Updated 2019-05-04. Refresh now. Tools for package owners.