Documentation
¶
Overview ¶
Package dek registers the "dek" encryption provider. Byte-slice encryption uses AES-256-GCM; streamed attachment encryption uses AES-CTR.
Index ¶
- func AESGCMOpen(key, iv, ciphertext []byte) ([]byte, error)
- func AESGCMSeal(key, plaintext []byte) (iv, ciphertext []byte, err error)
- func NewCTRDecryptReader(src io.Reader, key, nonce []byte) (io.Reader, error)
- func NewCTREncryptWriter(dst io.Writer, key, nonce []byte) (io.WriteCloser, error)
- func NewCTRNonce(key []byte) ([]byte, error)
- func NewGCMEncryptWriter(dst io.Writer, key, iv []byte) io.WriteCloser
- func SelectCTRKey(keys [][]byte, nonce []byte) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AESGCMOpen ¶
AESGCMOpen decrypts ciphertext (with appended GCM tag) using key and iv. Exported for use by KEK-backed providers.
func AESGCMSeal ¶
AESGCMSeal encrypts plaintext with AES-256-GCM using key and a random IV. Returns (iv, ciphertext, error). Exported for use by KEK-backed providers.
func NewCTRDecryptReader ¶
NewCTRDecryptReader returns a Reader that decrypts bytes from src using AES-CTR.
func NewCTREncryptWriter ¶
NewCTREncryptWriter returns a WriteCloser that encrypts bytes to dst using AES-CTR.
func NewCTRNonce ¶
NewCTRNonce generates a v2 stream nonce. The leading bytes encode a stable key ID so rotated providers can select the correct key for decryption before streaming.
func NewGCMEncryptWriter ¶
func NewGCMEncryptWriter(dst io.Writer, key, iv []byte) io.WriteCloser
NewGCMEncryptWriter returns a WriteCloser that buffers plaintext and seals it with AES-GCM using key+iv on Close, writing the ciphertext to dst. The MSEH header must already have been written to dst before calling this. Exported for use by KEK-backed providers.
Types ¶
This section is empty.
Source Files