Documentation
¶
Overview ¶
Package encrypt defines the contract a state-file encrypter implements.
Encrypter values seal and unseal opaque byte slices. State backends receive an Encrypter from the runtime and call it once per snapshot read or write. The runtime uses the same encrypter for plan files. Encrypter implementations join the fixed set in pkg/backends; the env-key and no-op encrypters live in pkg/envencrypt because they have no SDK dependency.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Encrypter ¶
type Encrypter interface {
Encrypt(plaintext []byte) ([]byte, error)
Decrypt(ciphertext []byte) ([]byte, error)
}
Encrypter seals and unseals opaque bytes. Implementations cover one key source each: an env var holding a 32-byte symmetric key, a KMS service that wraps a per-snapshot data key, and so on.
type EncrypterType ¶
type EncrypterType struct {
Name string
Description string
Configuration *cfg.ConfigurationType
New func(config any) (Encrypter, error)
}
EncrypterType registers an encrypter a provider library ships. Configuration describes the schema for the `encryption:` block fields the operator writes (e.g., env-var for the env-key encrypter). New is the factory the runtime invokes once it has decoded the configuration against that schema.
Source Files