Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrKMSDecryptRateLimited = errors.New("rate limit exceeded for KMS Decrypt")
ErrKMSDecryptRateLimited is returned when optional KMS Decrypt rate limiting rejects a cache-miss decrypt before calling AWS KMS.
Functions ¶
func New ¶
func New(ctx context.Context, client *kms.Client, keyID string, opts ...Option) (sqlcrypter.Crypterer, error)
New creates a new AWS KMS crypter given a KMS client and the ID/Alias/ARN of a KMS key. A new data encryption key (DEK) is obtained from KMS which will be stored alongside the ciphertext. 256-bit AES GCM is used to perform the encryption.
By default each KMS request uses a 2 second deadline. This can be overridden using WithRequestTimeout option. The decrypted-DEK Ristretto cache uses built-in defaults; override with WithDEKCacheConfig.
Types ¶
type KMSCrypter ¶
type KMSCrypter struct {
// contains filtered or unexported fields
}
KMSCrypter is an implementation of the Crypterer interface using AWS KMS with envelope encryption.
func (*KMSCrypter) Decrypt ¶
Decrypt decrypts ciphertext to plaintext. It first attempts to decrypt using the current DEK if it matches the encrypted key stored alongside the ciphertext. Otherwise, a request is made to KMS to decrypt the encrypted key and then the DEK is used to decrypt the ciphertext.
type Option ¶ added in v0.3.0
type Option func(*KMSCrypter) error
Option configures a KMSCrypter during New.
func WithDEKCacheConfig ¶ added in v0.3.0
WithDEKCacheConfig sets the Ristretto configuration for the decrypted-DEK cache. NumCounters, MaxCost, and BufferItems must be greater than zero, and NumCounters must be at least MaxCost (see github.com/dgraph-io/ristretto documentation).
func WithKMSDecryptRateLimit ¶ added in v0.3.0
WithKMSDecryptRateLimit sets a token-bucket limit on KMS Decrypt calls (cache-miss path only). rps and burst must be greater than zero.
func WithRequestTimeout ¶ added in v0.3.0
WithRequestTimeout sets the per-KMS-call deadline for GenerateDataKey and Decrypt (encrypted DEK path). Values must be greater than zero. The default is 2 second.