encrypt

package
v0.8.0-a.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 17, 2026 License: MIT Imports: 1 Imported by: 0

Documentation

Overview

Package encrypt defines the contract a state-file encrypter implements.

Encrypter values seal and unseal opaque byte slices. State backends receive an Encrypter from the runtime and call it once per snapshot read or write. The runtime uses the same encrypter for plan files. The implementations and the fixed set an operator selects from live together in pkg/encrypters.

Index

Constants

View Source 
const (
	ConfigKeyID  = "key-id"
	ConfigEnvVar = "env-var"
)

Well-known Description config keys. Each must match the name the config decoder derives from the key source's schema struct.

Variables

This section is empty.

Functions

This section is empty.

Types

type Description 

type Description struct {
	KeySource string
	Config    map[string]any
}

Description identifies a key source and the configuration that builds the same encrypter again. KeySource is the registry name an operator selects in stack encryption. Config holds the configuration by operator-facing field name and must stay decodable against the key source's configuration schema. Key material never belongs in a Description: descriptions are written to disk in plaintext.

type Encrypter 

type Encrypter interface {
	Encrypt(plaintext []byte) ([]byte, error)
	Decrypt(ciphertext []byte) ([]byte, error)

	// Describe reports which key source this encrypter is and the
	// non-secret configuration a reader needs to decrypt what it
	// sealed. Envelope sealing calls Describe after Encrypt, so the
	// result may include facts resolved while encrypting, such as
	// the kms encrypter's key ARN.
	Describe() Description
}

Encrypter seals and unseals opaque bytes. Implementations cover one key source each: an env var holding a 32-byte symmetric key, a KMS service that wraps a per-snapshot data key, and so on.

type EncrypterType 

type EncrypterType struct {
	Name          string
	Description   string
	Configuration *cfg.ConfigurationType
	New           func(config any, body map[string]any) (Encrypter, error)
}

EncrypterType registers one of the fixed set of state encrypters. Configuration describes the schema for the `encryption:` block fields the operator writes (e.g., env-var for the env-key encrypter). New is the factory the runtime invokes once it has decoded the configuration against that schema; body holds the same fields undecoded, keyed by operator-facing name, for encrypters that include them in their Description.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.