Documentation
¶
Overview ¶
Package dek registers the "dek" encryption provider. Byte-slice encryption uses AES-256-GCM; streamed attachment encryption uses MSEH v3 AES-GCM records.
Index ¶
- func AESGCMOpen(key, iv, ciphertext []byte) ([]byte, error)
- func AESGCMOpenWithAAD(key, iv, ciphertext, aad []byte) ([]byte, error)
- func AESGCMSeal(key, plaintext []byte) (iv, ciphertext []byte, err error)
- func AESGCMSealWithAAD(key, plaintext, aad []byte) (iv, ciphertext []byte, err error)
- func AESGCMSealWithNonceAndAAD(key, iv, plaintext, aad []byte) (usedIV, ciphertext []byte, err error)
- func NewCTRDecryptReader(src io.Reader, key, nonce []byte) (io.Reader, error)
- func NewCTREncryptWriter(dst io.Writer, key, nonce []byte) (io.WriteCloser, error)
- func NewCTRNonce(key []byte) ([]byte, error)
- func NewGCMEncryptWriter(dst io.Writer, key, iv []byte) io.WriteCloser
- func NewGCMNonce() ([]byte, error)
- func NewGCMStreamDecryptReader(src io.Reader, key []byte, providerID string, headerNonce []byte) (io.Reader, error)
- func NewGCMStreamEncryptWriter(dst io.Writer, key []byte, providerID string, headerNonce []byte) (io.WriteCloser, error)
- func NewGCMStreamNonce(key []byte) ([]byte, error)
- func SelectCTRKey(keys [][]byte, nonce []byte) ([]byte, error)
- func SelectGCMStreamKey(keys [][]byte, nonce []byte) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AESGCMOpen ¶
AESGCMOpen decrypts ciphertext (with appended GCM tag) using key and iv. Exported for use by KEK-backed providers.
func AESGCMOpenWithAAD ¶ added in v0.0.6
AESGCMOpenWithAAD decrypts ciphertext using key, iv, and AAD.
func AESGCMSeal ¶
AESGCMSeal encrypts plaintext with AES-256-GCM using key and a random IV. Returns (iv, ciphertext, error). Exported for use by KEK-backed providers.
func AESGCMSealWithAAD ¶ added in v0.0.6
AESGCMSealWithAAD encrypts plaintext with AES-256-GCM using key, a random IV, and AAD.
func AESGCMSealWithNonceAndAAD ¶ added in v0.0.6
func AESGCMSealWithNonceAndAAD(key, iv, plaintext, aad []byte) (usedIV, ciphertext []byte, err error)
AESGCMSealWithNonceAndAAD encrypts plaintext with AES-256-GCM using the supplied IV and AAD.
func NewCTRDecryptReader ¶
NewCTRDecryptReader returns a Reader that decrypts bytes from src using AES-CTR.
func NewCTREncryptWriter ¶
NewCTREncryptWriter returns a WriteCloser that encrypts bytes to dst using AES-CTR.
func NewCTRNonce ¶
NewCTRNonce generates a v2 stream nonce. The leading bytes encode a stable key ID so rotated providers can select the correct key for decryption before streaming.
func NewGCMEncryptWriter ¶
func NewGCMEncryptWriter(dst io.Writer, key, iv []byte) io.WriteCloser
NewGCMEncryptWriter returns a WriteCloser that buffers plaintext and seals it with AES-GCM using key+iv on Close, writing the ciphertext to dst. The MSEH header must already have been written to dst before calling this. Exported for use by KEK-backed providers.
func NewGCMNonce ¶ added in v0.0.6
NewGCMNonce returns a fresh AES-GCM nonce.
func NewGCMStreamDecryptReader ¶ added in v0.0.6
func NewGCMStreamDecryptReader(src io.Reader, key []byte, providerID string, headerNonce []byte) (io.Reader, error)
NewGCMStreamDecryptReader returns a Reader over plaintext from an MSEH v3 authenticated record stream.
func NewGCMStreamEncryptWriter ¶ added in v0.0.6
func NewGCMStreamEncryptWriter(dst io.Writer, key []byte, providerID string, headerNonce []byte) (io.WriteCloser, error)
NewGCMStreamEncryptWriter returns a WriteCloser that writes MSEH v3 authenticated 64-KiB AES-GCM records to dst.
func NewGCMStreamNonce ¶ added in v0.0.6
NewGCMStreamNonce generates a v3 attachment stream nonce. The leading bytes encode a stable key ID so rotated providers can select the correct master key before streaming; the trailing bytes are the per-stream salt.
func SelectCTRKey ¶
SelectCTRKey chooses the key encoded into a v2 stream nonce.
Types ¶
This section is empty.