Documentation
¶
Overview ¶
Package dekstore provides a thin database layer for vault and kms encryption providers to manage their wrapped DEK record in the application database. Supports both postgres and mongo backends, matching cfg.DatastoreType.
Schema: one row per provider. wrapped_deks[0] is the primary DEK (newest); subsequent elements are legacy keys kept for decryption-only rotation. revision enables optimistic updates so a future key-rotation CLI can safely prepend a new wrapped DEK without clobbering a concurrent update.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Record ¶
type Record struct {
// WrappedDEKs holds backend-wrapped DEK ciphertexts.
// Index 0 is the primary (used for new encryptions); subsequent entries
// are legacy keys retained for decryption-only key rotation.
WrappedDEKs [][]byte
// Revision is incremented on every update. Used for optimistic locking.
Revision int64
}
Record is the single DEK record stored per encryption provider.
type Store ¶
type Store interface {
// Load returns the record for provider, or nil if none exists.
Load(ctx context.Context, provider string) (*Record, error)
// Bootstrap inserts the initial record if no row exists for provider.
// On primary-key conflict (another instance beat us) it silently succeeds;
// the caller must Load again to obtain the winning record.
Bootstrap(ctx context.Context, provider string, wrappedDEK []byte) error
// Update replaces wrapped_deks and increments revision, but only when the
// stored revision equals oldRevision (optimistic locking). Returns true if
// the update was applied, false if the revision was stale.
Update(ctx context.Context, provider string, wrappedDEKs [][]byte, oldRevision int64) (bool, error)
// Close releases the underlying connection.
Close()
}
Store manages a single DEK record per provider name.
Source Files
Click to show internal directories.
Click to hide internal directories.