apiserver: k8s.io/apiserver/pkg/storage/value/encrypt/envelope Index | Files | Directories

package envelope

import "k8s.io/apiserver/pkg/storage/value/encrypt/envelope"

Package envelope transforms values for storage at rest using a Envelope provider

Package envelope transforms values for storage at rest using a Envelope provider

Index

Package Files

envelope.go grpc_service.go

func NewEnvelopeTransformer Uses

func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) value.Transformer) (value.Transformer, error)

NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to the data items they encrypt. A cache (of size cacheSize) is maintained to store the most recently used decrypted DEKs in memory.

type Service Uses

type Service interface {
    // Decrypt a given bytearray to obtain the original data as bytes.
    Decrypt(data []byte) ([]byte, error)
    // Encrypt bytes to a ciphertext.
    Encrypt(data []byte) ([]byte, error)
}

Service allows encrypting and decrypting data using an external Key Management Service.

func NewGRPCService Uses

func NewGRPCService(endpoint string, callTimeout time.Duration) (Service, error)

NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.

Directories

PathSynopsis
testing
v1beta1Package v1beta1 contains definition of kms-plugin's gRPC service.

Package envelope imports 17 packages (graph) and is imported by 1 packages. Updated 2019-12-08. Refresh now. Tools for package owners.