vault

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package vault holds Conduit's credential-at-rest cryptography: envelope encryption split into a provider-agnostic Vault and a pluggable KeyProvider that wraps the per-credential data key. The local provider wraps with an env KEK for dev; a GCP KMS provider implements the same interface for prod.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type GCPKMSKeyProvider

type GCPKMSKeyProvider struct {
	// contains filtered or unexported fields
}

GCPKMSKeyProvider wraps DEKs with a Cloud KMS crypto key. The wrapping key never leaves the HSM-backed KMS; a stolen database yields only ciphertext and KMS-wrapped data keys, which require a live KMS Decrypt this provider's service identity alone is authorized to make. crc32c checksums guard the payloads in transit, as recommended by Google.

func NewGCPKMSKeyProvider

func NewGCPKMSKeyProvider(ctx context.Context, keyName string) (*GCPKMSKeyProvider, error)

NewGCPKMSKeyProvider dials Cloud KMS (Application Default Credentials) and targets keyName, the crypto key resource projects/P/locations/L/keyRings/R/cryptoKeys/K.

func (*GCPKMSKeyProvider) Close

func (p *GCPKMSKeyProvider) Close() error

Close releases the KMS client connection.

func (*GCPKMSKeyProvider) KeyID

func (p *GCPKMSKeyProvider) KeyID() string

KeyID is the KMS crypto key resource name, recorded on each sealed credential so a key rotation can find and re-wrap what a retired key sealed.

func (*GCPKMSKeyProvider) Unwrap

func (p *GCPKMSKeyProvider) Unwrap(ctx context.Context, wrapped []byte) ([]byte, error)

func (*GCPKMSKeyProvider) Wrap

func (p *GCPKMSKeyProvider) Wrap(ctx context.Context, dek []byte) ([]byte, error)

type KeyProvider

type KeyProvider interface {
	Wrap(ctx context.Context, dek []byte) (wrapped []byte, err error)
	Unwrap(ctx context.Context, wrapped []byte) (dek []byte, err error)
	// KeyID identifies the wrapping key for audit and rotation tracking.
	KeyID() string
}

KeyProvider wraps and unwraps a data key (DEK). It is the only seam that differs between environments: dev wraps with a local AES KEK, prod wraps via GCP KMS Encrypt/Decrypt. The wrapped form is an opaque blob only the provider understands.

type LocalKeyProvider

type LocalKeyProvider struct {
	// contains filtered or unexported fields
}

LocalKeyProvider wraps DEKs with a single AES-256 KEK held in process. It is the dev/default provider; production swaps in a GCP KMS provider behind the same KeyProvider interface so a DB dump alone never yields plaintext.

func NewLocalKeyProvider

func NewLocalKeyProvider(kek []byte) (*LocalKeyProvider, error)

func NewLocalKeyProviderFromEnv

func NewLocalKeyProviderFromEnv() (*LocalKeyProvider, error)

NewLocalKeyProviderFromEnv reads the base64-encoded 32-byte KEK from CONDUIT_KEY_ENCRYPTION_KEY, failing fast if absent or malformed.

func (*LocalKeyProvider) KeyID

func (p *LocalKeyProvider) KeyID() string

func (*LocalKeyProvider) Unwrap

func (p *LocalKeyProvider) Unwrap(_ context.Context, wrapped []byte) ([]byte, error)

func (*LocalKeyProvider) Wrap

func (p *LocalKeyProvider) Wrap(_ context.Context, dek []byte) ([]byte, error)

type Vault

type Vault struct {
	// contains filtered or unexported fields
}

Vault envelope-encrypts secrets: a fresh random DEK encrypts the payload (AES-256-GCM), and the KeyProvider wraps that DEK. The two outputs map 1:1 to a Credential's Ciphertext and WrappedKey columns. Rotating the wrapping key then re-wraps DEKs only, never re-encrypts payloads.

func New

func New(p KeyProvider) *Vault

func (*Vault) KeyID

func (v *Vault) KeyID() string

KeyID exposes the active wrapping key for stamping on stored credentials.

func (*Vault) Open

func (v *Vault) Open(ctx context.Context, ciphertext, wrappedKey []byte) ([]byte, error)

Open reverses Seal.

func (*Vault) Seal

func (v *Vault) Seal(ctx context.Context, plaintext []byte) (ciphertext, wrappedKey []byte, err error)

Seal returns the DEK-encrypted payload and the wrapped DEK. Plaintext is never retained; the DEK is zeroed before returning.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL