Affected by GO-2024-2727 and 1 other vulnerabilities

GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

GO-2025-4076: Constellation has insecure LUKS2 persistent storage partitions which may be opened and used in github.com/edgelesssys/constellation

cryptmapper

package

v2.9.1 Latest Latest Go to latest Published: Jul 20, 2023 License: AGPL-3.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package cryptmapper provides a wrapper around libcryptsetup to manage dm-crypt volumes for CSI drivers.

Index ¶

Constants
func IsIntegrityFS(fstype string) (string, bool)
type CryptDevice
type CryptMapper
- func New(kms KeyCreator, mapper deviceMapper) *CryptMapper
type KeyCreator

Constants ¶

View Source

const (
	// LUKSHeaderSize is the amount of bytes taken up by the header of a LUKS2 partition.
	// The header is 16MiB (1048576 Bytes * 16).
	LUKSHeaderSize = 16777216
)

Variables ¶

This section is empty.

Functions ¶

func IsIntegrityFS ¶

func IsIntegrityFS(fstype string) (string, bool)

IsIntegrityFS checks if the fstype string contains an integrity suffix. If yes, returns the trimmed fstype and true, fstype and false otherwise.

Types ¶

type CryptDevice ¶

type CryptDevice struct {
	*cryptsetup.Device
}

CryptDevice is a wrapper for cryptsetup.Device.

func (*CryptDevice) Free ¶

func (c *CryptDevice) Free() bool

Free releases crypt device context and used memory.

func (*CryptDevice) Init ¶

func (c *CryptDevice) Init(devicePath string) error

Init initializes a crypt device backed by 'devicePath'. Sets the cryptDevice's deviceMapper to the newly allocated Device or returns any error encountered.

func (*CryptDevice) InitByName ¶

func (c *CryptDevice) InitByName(name string) error

InitByName initializes a crypt device from provided active device 'name'. Sets the deviceMapper to the newly allocated Device or returns any error encountered.

type CryptMapper ¶

type CryptMapper struct {
	// contains filtered or unexported fields
}

CryptMapper manages dm-crypt volumes.

func New ¶

func New(kms KeyCreator, mapper deviceMapper) *CryptMapper

New initializes a new CryptMapper with the given kms client and key-encryption-key ID. kms is used to fetch data encryption keys for the dm-crypt volumes.

func (*CryptMapper) CloseCryptDevice ¶

func (c *CryptMapper) CloseCryptDevice(volumeID string) error

CloseCryptDevice closes the crypt device mapped for volumeID. Returns nil if the volume does not exist.

func (*CryptMapper) GetDevicePath ¶

func (c *CryptMapper) GetDevicePath(volumeID string) (string, error)

GetDevicePath returns the device path of a mapped crypt device.

func (*CryptMapper) OpenCryptDevice ¶

func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID string, integrity bool) (string, error)

OpenCryptDevice maps the volume at source to the crypt device identified by volumeID. The key used to encrypt the volume is fetched using CryptMapper's kms client.

func (*CryptMapper) ResizeCryptDevice ¶

func (c *CryptMapper) ResizeCryptDevice(ctx context.Context, volumeID string) (string, error)

ResizeCryptDevice resizes the underlying crypt device and returns the mapped device path.

type KeyCreator ¶

type KeyCreator interface {
	GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error)
}

KeyCreator is an interface to create data encryption keys.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL