stdtemporalcodec-genkeyset

command
v0.0.237 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Command stdtemporalcodec-genkeyset generates a fresh AES-256-GCM Tink keyset and prints it to stdout as a base64-encoded JSON keyset, suitable for use as the value of the STDTEMPORALCODEC_KEYSET and STDTEMPORALCODECSERVER_KEYSET environment variables consumed by stdtemporalcodecfx.

Backends:

  • Without --kek-uri the output is a cleartext keyset. Sensitive: it contains the raw symmetric key material. Store it in your secrets manager; never check it into source control.
  • With --kek-uri aws-kms://<arn> the keyset is wrapped by the named AWS KMS KEK before being emitted. The wrapped blob is safe to ship via env/secret manager because it can only be unwrapped by callers with kms:Decrypt on the KEK.

Usage: 

# cleartext keyset (local dev)
go run github.com/advdv/stdgo/fx/stdtemporalcodecfx/cmd/stdtemporalcodec-genkeyset

# KMS-wrapped keyset (production)
go run github.com/advdv/stdgo/fx/stdtemporalcodecfx/cmd/stdtemporalcodec-genkeyset \
    --kek-uri aws-kms://arn:aws:kms:us-east-1:111122223333:key/abcd-...

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.