Documentation
¶
Overview ¶
Package vault holds Conduit's credential-at-rest cryptography: envelope encryption split into a provider-agnostic Vault and a pluggable KeyProvider that wraps the per-credential data key. The local provider wraps with an env KEK for dev; a GCP KMS provider implements the same interface for prod.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GCPKMSKeyProvider ¶
type GCPKMSKeyProvider struct {
// contains filtered or unexported fields
}
GCPKMSKeyProvider wraps DEKs with a Cloud KMS crypto key. The wrapping key never leaves the HSM-backed KMS; a stolen database yields only ciphertext and KMS-wrapped data keys, which require a live KMS Decrypt this provider's service identity alone is authorized to make. crc32c checksums guard the payloads in transit, as recommended by Google.
func NewGCPKMSKeyProvider ¶
func NewGCPKMSKeyProvider(ctx context.Context, keyName string) (*GCPKMSKeyProvider, error)
NewGCPKMSKeyProvider dials Cloud KMS (Application Default Credentials) and targets keyName, the crypto key resource projects/P/locations/L/keyRings/R/cryptoKeys/K.
func (*GCPKMSKeyProvider) Close ¶
func (p *GCPKMSKeyProvider) Close() error
Close releases the KMS client connection.
func (*GCPKMSKeyProvider) KeyID ¶
func (p *GCPKMSKeyProvider) KeyID() string
KeyID is the KMS crypto key resource name, recorded on each sealed credential so a key rotation can find and re-wrap what a retired key sealed.
type KeyProvider ¶
type KeyProvider interface {
Wrap(ctx context.Context, dek []byte) (wrapped []byte, err error)
Unwrap(ctx context.Context, wrapped []byte) (dek []byte, err error)
// KeyID identifies the wrapping key for audit and rotation tracking.
KeyID() string
}
KeyProvider wraps and unwraps a data key (DEK). It is the only seam that differs between environments: dev wraps with a local AES KEK, prod wraps via GCP KMS Encrypt/Decrypt. The wrapped form is an opaque blob only the provider understands.
type LocalKeyProvider ¶
type LocalKeyProvider struct {
// contains filtered or unexported fields
}
LocalKeyProvider wraps DEKs with a single AES-256 KEK held in process. It is the dev/default provider; production swaps in a GCP KMS provider behind the same KeyProvider interface so a DB dump alone never yields plaintext.
func NewLocalKeyProvider ¶
func NewLocalKeyProvider(kek []byte) (*LocalKeyProvider, error)
func NewLocalKeyProviderFromEnv ¶
func NewLocalKeyProviderFromEnv() (*LocalKeyProvider, error)
NewLocalKeyProviderFromEnv reads the base64-encoded 32-byte KEK from CONDUIT_KEY_ENCRYPTION_KEY, failing fast if absent or malformed.
func (*LocalKeyProvider) KeyID ¶
func (p *LocalKeyProvider) KeyID() string
type Vault ¶
type Vault struct {
// contains filtered or unexported fields
}
Vault envelope-encrypts secrets: a fresh random DEK encrypts the payload (AES-256-GCM), and the KeyProvider wraps that DEK. The two outputs map 1:1 to a Credential's Ciphertext and WrappedKey columns. Rotating the wrapping key then re-wraps DEKs only, never re-encrypts payloads.
func New ¶
func New(p KeyProvider) *Vault