Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
- API
  
  Reference documentation for the pkg.go.dev API
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

keyring

package

Go to main page

Versions in this module

v0

v0.29.0

May 27, 2026

Changes in this version

+ var ErrActiveMasterKeyIDNotSet = apperrors.Wrap(apperrors.ErrInvalidInput, "ACTIVE_MASTER_KEY_ID not set")

+ var ErrActiveMasterKeyNotFound = apperrors.Wrap(apperrors.ErrInvalidInput, "active master key not found")

+ var ErrDecryptionFailed = apperrors.Wrap(apperrors.ErrInvalidInput, "decryption failed")

+ var ErrDekNotFound = apperrors.Wrap(apperrors.ErrNotFound, "dek not found")

+ var ErrInvalidKeySize = apperrors.Wrap(apperrors.ErrInvalidInput, "invalid key size")

+ var ErrInvalidMasterKeyBase64 = apperrors.Wrap(apperrors.ErrInvalidInput, "invalid master key base64")

+ var ErrInvalidMasterKeysFormat = apperrors.Wrap(apperrors.ErrInvalidInput, "invalid MASTER_KEYS format")

+ var ErrKMSDecryptionFailed = apperrors.Wrap(apperrors.ErrInvalidInput, "KMS decryption failed")

+ var ErrKMSKeyURINotSet = apperrors.Wrap(apperrors.ErrInvalidInput, "KMS_KEY_URI is required but not configured")

+ var ErrKMSOpenKeeperFailed = apperrors.Wrap(apperrors.ErrInvalidInput, "failed to open KMS keeper")

+ var ErrKMSProviderNotSet = apperrors.Wrap(apperrors.ErrInvalidInput, ...)

+ var ErrKekNotFound = apperrors.Wrap(apperrors.ErrNotFound, "kek not found")

+ var ErrMasterKeyNotFound = apperrors.Wrap(apperrors.ErrNotFound, "master key not found")

+ var ErrMasterKeysNotSet = apperrors.Wrap(apperrors.ErrInvalidInput, "MASTER_KEYS not set")

+ var ErrSignatureInvalid = errors.New("keyring: signature invalid")

+ var ErrUnsupportedAlgorithm = apperrors.Wrap(apperrors.ErrInvalidInput, "unsupported algorithm")

+ func Zero(b []byte)

+ type Algorithm string

+ const AESGCM

+ const ChaCha20

+ type DekHandle struct

+ DekID uuid.UUID

+ type Envelope struct

+ Ciphertext []byte

+ DekID uuid.UUID

+ Nonce []byte

+ type Fake struct

+ FailAllocate error

+ FailDecrypt error

+ FailEncrypt error

+ FailRewrap error

+ FailSign error

+ func NewFake() *Fake

+ func (f *Fake) ActiveKekID() uuid.UUID

+ func (f *Fake) AllocateDek(_ context.Context, _ Algorithm) (DekHandle, error)

+ func (f *Fake) Decrypt(_ context.Context, env Envelope) ([]byte, error)

+ func (f *Fake) DecryptWith(_ context.Context, handle DekHandle, ciphertext, _ []byte, aad []byte) ([]byte, error)

+ func (f *Fake) Encrypt(_ context.Context, plaintext []byte) (Envelope, error)

+ func (f *Fake) EncryptWith(_ context.Context, handle DekHandle, plaintext, aad []byte) (ciphertext, nonce []byte, err error)

+ func (f *Fake) Rewrap(_ context.Context, dekID uuid.UUID) error

+ func (f *Fake) RewrapAll(_ context.Context, _ int) (int, error)

+ func (f *Fake) SignWithKey(data []byte) ([]byte, uuid.UUID, error)

+ func (f *Fake) VerifyWithKey(_ uuid.UUID, data, sig []byte) error

+ type KMSKeeper interface

+ Close func() error

+ Decrypt func(ctx context.Context, ciphertext []byte) ([]byte, error)

+ type KMSService interface

+ OpenKeeper func(ctx context.Context, keyURI string) (KMSKeeper, error)

+ func NewKMSService() KMSService

+ type KekUseCase interface

+ Create func(ctx context.Context, masterKeyChain *MasterKeyChain, alg Algorithm) error

+ Rotate func(ctx context.Context, masterKeyChain *MasterKeyChain, alg Algorithm) error

+ func NewKekUseCase(txManager database.TxManager, db *sql.DB) KekUseCase

+ type KeySigner interface

+ SignWithKey func(data []byte) (sig []byte, kekID uuid.UUID, err error)

+ VerifyWithKey func(kekID uuid.UUID, data, sig []byte) error

+ type Keyring interface

+ ActiveKekID func() uuid.UUID

+ AllocateDek func(ctx context.Context, alg Algorithm) (DekHandle, error)

+ Decrypt func(ctx context.Context, env Envelope) ([]byte, error)

+ DecryptWith func(ctx context.Context, handle DekHandle, ciphertext, nonce, aad []byte) ([]byte, error)

+ Encrypt func(ctx context.Context, plaintext []byte) (Envelope, error)

+ EncryptWith func(ctx context.Context, handle DekHandle, plaintext, aad []byte) (ciphertext, nonce []byte, err error)

+ Rewrap func(ctx context.Context, dekID uuid.UUID) error

+ RewrapAll func(ctx context.Context, batchSize int) (int, error)

+ func Bootstrap(ctx context.Context, masterKeyChain *MasterKeyChain, db *sql.DB, alg Algorithm) (Keyring, error)

+ type MasterKey struct

+ ID string

+ Key []byte

+ type MasterKeyChain struct

+ func LoadMasterKeyChain(ctx context.Context, cfg *config.Config, kmsService KMSService, ...) (*MasterKeyChain, error)

+ func NewMasterKeyChain(activeID string) *MasterKeyChain

+ func (m *MasterKeyChain) ActiveMasterKeyID() string

+ func (m *MasterKeyChain) Close()

+ func (m *MasterKeyChain) Get(id string) (*MasterKey, bool)

+ type NullSigner struct

+ func (NullSigner) SignWithKey(_ []byte) ([]byte, uuid.UUID, error)

+ func (NullSigner) VerifyWithKey(_ uuid.UUID, _, _ []byte) error