Documentation
¶
Overview ¶
Package encrypters holds the fixed set of state encrypters a factory can use. An operator selects one by bare name in a stack encryption declaration, and the resolver looks the name up here. The Encrypter contract lives in pkg/sdk/encrypt.
Index ¶
Constants ¶
const ( EnvKeyName = "env-key" KMSName = "kms" NoopName = "noop" )
Key source names; Describe reports the same name the registry uses so a recorded ref resolves back to its type.
Variables ¶
This section is empty.
Functions ¶
func Encrypters ¶
func Encrypters() map[string]sdkencrypt.EncrypterType
Encrypters returns the state encrypters keyed by the bare name an operator selects in stack encryption. Names are unique by construction: this is one map literal, so a duplicate is a compile error.
Types ¶
type EnvKey ¶
type EnvKey struct {
// contains filtered or unexported fields
}
EnvKey uses AES-256-GCM with a 32 byte symmetric key read from a named environment variable. The env value must be the base64-encoded key.
func NewEnvKey ¶
NewEnvKey reads the env var, decodes the key, and returns an EnvKey encrypter. Errors when the env var is unset, not base64, or does not decode to 32 bytes.
func (*EnvKey) Decrypt ¶
Decrypt opens a value produced by Encrypt. Errors on tampered or truncated bytes.
func (*EnvKey) Describe ¶
func (e *EnvKey) Describe() sdkencrypt.Description
Describe names the env-key source and the env var the key is read from.
type EnvKeyConfig ¶
EnvKeyConfig is the operator-facing body under `encryption: env-key { ... }`.
type KMS ¶
type KMS struct {
// contains filtered or unexported fields
}
KMS seals and unseals bytes with envelope encryption through AWS KMS: payloads are sealed locally with AES-256-GCM under a 256-bit data key that KMS generates and wraps with one KMS key (named by id, ARN, or alias), and each blob stores its wrapped data key, so data keys are the only thing that crosses the wire, never the payload.
An encrypter generates one data key on first use and seals every write with it. An encrypter lives for one command, so the key's exposure is bounded by the run, GCM with random nonces stays safe for far more messages than a run writes, and readers never depend on the reuse because every blob is self-describing. Unwrapped data keys are memoized by their wrapped bytes for the same reason in the other direction: a run re-reading blobs it wrote, or several blobs sealed under one data key, costs one KMS call at most.
func NewKMS ¶
NewKMS returns a KMS encrypter using client and the given key. config, which may be nil, is the operator's evaluated encryption block; Describe reports it so sealed files record how to decrypt.
func (*KMS) Decrypt ¶
Decrypt opens a value produced by Encrypt. Errors on tampered or truncated bytes, and when KMS will not unwrap the stored data key.
func (*KMS) Describe ¶
func (k *KMS) Describe() sdkencrypt.Description
Describe names the kms key source and the operator configuration that selects the key, with key-id replaced by the key ARN once the first Encrypt has resolved it.
type KMSConfig ¶
type KMSConfig struct {
KeyID cfg.String
AWS *awscfg.Configuration
}
KMSConfig is the operator-facing body under `encryption: kms { ... }`. The aws object holds the shared AWS connection settings from pkg/awscfg.
type Noop ¶
type Noop struct{}
Noop passes bytes through unchanged. Useful in tests and for dev workflows where the operator has explicitly opted out of encryption.
func (Noop) Describe ¶
func (Noop) Describe() sdkencrypt.Description
Describe names the noop key source. The empty Config marks the sealed body as plaintext with nothing more to configure.
Source Files