dek

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package dek registers the "dek" encryption provider. Byte-slice encryption uses AES-256-GCM; streamed attachment encryption uses MSEH v3 AES-GCM records.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AESGCMOpen

func AESGCMOpen(key, iv, ciphertext []byte) ([]byte, error)

AESGCMOpen decrypts ciphertext (with appended GCM tag) using key and iv. Exported for use by KEK-backed providers.

func AESGCMOpenWithAAD added in v0.0.6

func AESGCMOpenWithAAD(key, iv, ciphertext, aad []byte) ([]byte, error)

AESGCMOpenWithAAD decrypts ciphertext using key, iv, and AAD.

func AESGCMSeal

func AESGCMSeal(key, plaintext []byte) (iv, ciphertext []byte, err error)

AESGCMSeal encrypts plaintext with AES-256-GCM using key and a random IV. Returns (iv, ciphertext, error). Exported for use by KEK-backed providers.

func AESGCMSealWithAAD added in v0.0.6

func AESGCMSealWithAAD(key, plaintext, aad []byte) (iv, ciphertext []byte, err error)

AESGCMSealWithAAD encrypts plaintext with AES-256-GCM using key, a random IV, and AAD.

func AESGCMSealWithNonceAndAAD added in v0.0.6

func AESGCMSealWithNonceAndAAD(key, iv, plaintext, aad []byte) (usedIV, ciphertext []byte, err error)

AESGCMSealWithNonceAndAAD encrypts plaintext with AES-256-GCM using the supplied IV and AAD.

func NewCTRDecryptReader

func NewCTRDecryptReader(src io.Reader, key, nonce []byte) (io.Reader, error)

NewCTRDecryptReader returns a Reader that decrypts bytes from src using AES-CTR.

func NewCTREncryptWriter

func NewCTREncryptWriter(dst io.Writer, key, nonce []byte) (io.WriteCloser, error)

NewCTREncryptWriter returns a WriteCloser that encrypts bytes to dst using AES-CTR.

func NewCTRNonce

func NewCTRNonce(key []byte) ([]byte, error)

NewCTRNonce generates a v2 stream nonce. The leading bytes encode a stable key ID so rotated providers can select the correct key for decryption before streaming.

func NewGCMEncryptWriter

func NewGCMEncryptWriter(dst io.Writer, key, iv []byte) io.WriteCloser

NewGCMEncryptWriter returns a WriteCloser that buffers plaintext and seals it with AES-GCM using key+iv on Close, writing the ciphertext to dst. The MSEH header must already have been written to dst before calling this. Exported for use by KEK-backed providers.

func NewGCMNonce added in v0.0.6

func NewGCMNonce() ([]byte, error)

NewGCMNonce returns a fresh AES-GCM nonce.

func NewGCMStreamDecryptReader added in v0.0.6

func NewGCMStreamDecryptReader(src io.Reader, key []byte, providerID string, headerNonce []byte) (io.Reader, error)

NewGCMStreamDecryptReader returns a Reader over plaintext from an MSEH v3 authenticated record stream.

func NewGCMStreamEncryptWriter added in v0.0.6

func NewGCMStreamEncryptWriter(dst io.Writer, key []byte, providerID string, headerNonce []byte) (io.WriteCloser, error)

NewGCMStreamEncryptWriter returns a WriteCloser that writes MSEH v3 authenticated 64-KiB AES-GCM records to dst.

func NewGCMStreamNonce added in v0.0.6

func NewGCMStreamNonce(key []byte) ([]byte, error)

NewGCMStreamNonce generates a v3 attachment stream nonce. The leading bytes encode a stable key ID so rotated providers can select the correct master key before streaming; the trailing bytes are the per-stream salt.

func SelectCTRKey

func SelectCTRKey(keys [][]byte, nonce []byte) ([]byte, error)

SelectCTRKey chooses the key encoded into a v2 stream nonce.

func SelectGCMStreamKey added in v0.0.6

func SelectGCMStreamKey(keys [][]byte, nonce []byte) ([]byte, error)

SelectGCMStreamKey chooses the master key encoded into a v3 stream nonce.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL