encrypters

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2026 License: MIT Imports: 16 Imported by: 0

Documentation

Overview

Package encrypters holds the fixed set of state encrypters a factory can use. An operator selects one by bare name with @key-source in a config's encryption block, and the resolver looks the name up here. The Encrypter contract lives in pkg/sdk/encrypt.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Encrypters 

func Encrypters() map[string]sdkencrypt.EncrypterType

Encrypters returns the state encrypters keyed by the bare name an operator selects with @key-source. Names are unique by construction: this is one map literal, so a duplicate is a compile error.

Types

type EnvKey 

type EnvKey struct {
	// contains filtered or unexported fields
}

EnvKey uses AES-256-GCM with a 32 byte symmetric key read from a named environment variable. The env value must be the base64-encoded key.

func NewEnvKey 

func NewEnvKey(envVar string) (*EnvKey, error)

NewEnvKey reads the env var, decodes the key, and returns an EnvKey encrypter. Errors when the env var is unset, not base64, or does not decode to 32 bytes.

func (*EnvKey) Decrypt 

func (e *EnvKey) Decrypt(ciphertext []byte) ([]byte, error)

Decrypt opens a value produced by Encrypt. Errors on tampered or truncated bytes.

func (*EnvKey) Encrypt 

func (e *EnvKey) Encrypt(plaintext []byte) ([]byte, error)

Encrypt seals plaintext with a fresh random nonce. Output bytes are `nonce || ciphertext+tag`.

type EnvKeyConfig 

type EnvKeyConfig struct {
	EnvVar cfg.String
}

EnvKeyConfig is the operator-facing body under `encryption: { @key-source: env-key ... }`.

type KMS 

type KMS struct {
	// contains filtered or unexported fields
}

KMS seals and unseals bytes with envelope encryption through AWS KMS: payloads are sealed locally with AES-256-GCM under a 256-bit data key that KMS generates and wraps with one KMS key (named by id, ARN, or alias), and each blob stores its wrapped data key, so data keys are the only thing that crosses the wire, never the payload.

An encrypter generates one data key on first use and seals every write with it. An encrypter lives for one command, so the key's exposure is bounded by the run, GCM with random nonces stays safe for far more messages than a run writes, and readers never depend on the reuse because every blob is self-describing. Unwrapped data keys are memoized by their wrapped bytes for the same reason in the other direction: a run re-reading blobs it wrote, or several blobs sealed under one data key, costs one KMS call at most.

func NewKMS 

func NewKMS(client *kms.Client, keyID string) (*KMS, error)

NewKMS returns a KMS encrypter using client and the given key.

func (*KMS) Decrypt 

func (k *KMS) Decrypt(ciphertext []byte) ([]byte, error)

Decrypt opens a value produced by Encrypt. Errors on tampered or truncated bytes, and when KMS will not unwrap the stored data key.

func (*KMS) Encrypt 

func (k *KMS) Encrypt(plaintext []byte) ([]byte, error)

Encrypt seals plaintext under the run's KMS data key, generating it on first use.

type KMSConfig 

type KMSConfig struct {
	KeyID cfg.String
	AWS   *awscfg.Configuration
}

KMSConfig is the operator-facing body under `encryption: { @key-source: kms ... }`. The aws object holds the shared AWS connection settings from pkg/awscfg.

type Noop 

type Noop struct{}

Noop passes bytes through unchanged. Useful in tests and for dev workflows where the operator has explicitly opted out of encryption.

func (Noop) Decrypt 

func (Noop) Decrypt(p []byte) ([]byte, error)

func (Noop) Encrypt 

func (Noop) Encrypt(p []byte) ([]byte, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.