api

package
v0.0.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 6, 2026 License: MIT Imports: 1 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type EncryptedData 

type EncryptedData struct {
	Ciphertext         []byte            // Encrypted data
	WrappedDEK         []byte            // DEK encrypted by KEK
	KeyID              string            // Key identifier for KEK
	Algorithm          string            // Encryption algorithm used
	AdditionalMetadata map[string]string // Additional metadata (nonce, version, etc.)
}

EncryptedData holds the result of encryption

type EncryptionLevel 

type EncryptionLevel int

EncryptionLevel defines the encryption level for messages 

const (
	// EncryptionLevelNone - No encryption (plaintext storage)
	EncryptionLevelNone EncryptionLevel = 0
	// EncryptionLevelSSE - Server-Side Encryption (server encrypts before storage)
	EncryptionLevelSSE EncryptionLevel = 1
	// EncryptionLevelE2EEscrow - E2E with key escrow (recoverable by server)
	EncryptionLevelE2EEscrow EncryptionLevel = 2
	// EncryptionLevelE2EClient - True E2E encryption (client-only keys)
	EncryptionLevelE2EClient EncryptionLevel = 3
)

type EncryptionMetadata 

type EncryptionMetadata struct {
	Algorithm  string `json:"algorithm"`
	KeyVersion int    `json:"key_version"`
	Nonce      string `json:"nonce"` // Base64 encoded nonce
	AAD        string `json:"aad"`   // Base64 encoded additional authenticated data
}

EncryptionMetadata holds metadata about an encrypted message

type EncryptionService 

type EncryptionService interface {
	// EncryptMessage encrypts a message using envelope encryption
	// associatedData is used for authenticated encryption (AAD)
	EncryptMessage(ctx context.Context, plaintext []byte, associatedData string) (*EncryptedData, error)

	// DecryptMessage decrypts an encrypted message
	// associatedData must match what was used during encryption
	DecryptMessage(ctx context.Context, data *EncryptedData, associatedData string) ([]byte, error)

	// GetKeyID returns the current key identifier from the underlying KMS
	GetKeyID() string

	// Close releases any resources
	Close() error
}

EncryptionService defines the interface for encryption operations

type KMSProvider 

type KMSProvider interface {
	// GenerateDEK generates a new Data Encryption Key
	// Returns plaintext DEK and wrapped (encrypted) DEK
	GenerateDEK(ctx context.Context) (plaintext []byte, wrapped []byte, err error)

	// WrapDEK wraps (encrypts) a DEK using the KEK
	WrapDEK(ctx context.Context, plaintext []byte) (wrapped []byte, err error)

	// UnwrapDEK unwraps (decrypts) a wrapped DEK using the KEK
	UnwrapDEK(ctx context.Context, wrapped []byte) (plaintext []byte, err error)

	// GetKeyID returns the current key identifier
	GetKeyID() string

	// RotateKey triggers a key rotation (creates new version)
	RotateKey(ctx context.Context) error

	// Close releases any resources held by the provider
	Close() error
}

KMSProvider defines the interface for Key Management System providers Implementations include local (dev), HashiCorp Vault, AWS KMS

type KMSProviderType 

type KMSProviderType string

KMSProviderType identifies the KMS provider type 

const (
	KMSProviderLocal KMSProviderType = "local"
	KMSProviderVault KMSProviderType = "vault"
	KMSProviderAWS   KMSProviderType = "aws"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.