azkv

package

v3.11.0 Latest Latest Go to latest Published: Sep 28, 2025 License: MPL-2.0 Imports: 12 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/getsops/sops

Links

Open Source Insights

Documentation ¶

Overview ¶

Package azkv contains an implementation of the github.com/getsops/sops/v3/keys.MasterKey interface that encrypts and decrypts the data key using Azure Key Vault with the Azure Key Vault Keys client module for Go.

Index ¶

Constants
type ClientOptions
- func NewClientOptions(o *azkeys.ClientOptions) *ClientOptions
- func (c ClientOptions) ApplyToMasterKey(key *MasterKey)
type MasterKey
type TokenCredential
- func NewTokenCredential(token azcore.TokenCredential) *TokenCredential
- func (t TokenCredential) ApplyToMasterKey(key *MasterKey)

Constants ¶

View Source

const (
	// KeyTypeIdentifier is the string used to identify an Azure Key Vault MasterKey.
	KeyTypeIdentifier = "azure_kv"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ClientOptions ¶ added in v3.11.0

type ClientOptions struct {
	// contains filtered or unexported fields
}

ClientOptions is a wrapper around azkeys.ClientOptions to allow configuration of the Azure Key Vault client.

func NewClientOptions ¶ added in v3.11.0

func NewClientOptions(o *azkeys.ClientOptions) *ClientOptions

NewClientOptions creates a new ClientOptions with the provided azkeys.ClientOptions.

func (ClientOptions) ApplyToMasterKey ¶ added in v3.11.0

func (c ClientOptions) ApplyToMasterKey(key *MasterKey)

ApplyToMasterKey configures the ClientOptions on the provided key.

type MasterKey ¶

type MasterKey struct {
	// VaultURL of the Azure Key Vault. For example:
	// "https://myvault.vault.azure.net/".
	VaultURL string
	// Name of the Azure Key Vault key in the VaultURL.
	Name string
	// Version of the Azure Key Vault key. Can be empty.
	Version string
	// EncryptedKey contains the SOPS data key encrypted with the Azure Key
	// Vault key.
	EncryptedKey string
	// CreationDate of the MasterKey, used to determine if the EncryptedKey
	// needs rotation.
	CreationDate time.Time
	// contains filtered or unexported fields
}

MasterKey is an Azure Key Vault Key used to Encrypt and Decrypt SOPS' data key.

func MasterKeysFromURLs ¶

func MasterKeysFromURLs(urls string) ([]*MasterKey, error)

MasterKeysFromURLs takes a comma separated list of Azure Key Vault URLs, and returns a slice of new MasterKeys.

func NewMasterKey ¶

func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey

NewMasterKey creates a new MasterKey from a URL, key name and (mandatory) version, setting the creation date to the current date.

func NewMasterKeyFromURL ¶

func NewMasterKeyFromURL(url string) (*MasterKey, error)

NewMasterKeyFromURL takes an Azure Key Vault key URL, and returns a new MasterKey. The URL format is {vaultUrl}/keys/{keyName}/{keyVersion}.

func NewMasterKeyWithOptionalVersion ¶ added in v3.11.0

func NewMasterKeyWithOptionalVersion(vaultURL string, keyName string, keyVersion string) (*MasterKey, error)

NewMasterKey creates a new MasterKey from a URL, key name and (optional) version, setting the creation date to the current date.

func (*MasterKey) Decrypt ¶

func (key *MasterKey) Decrypt() ([]byte, error)

Decrypt decrypts the EncryptedKey field with Azure Key Vault and returns the result.

Consider using DecryptContext instead.

func (*MasterKey) DecryptContext ¶ added in v3.11.0

func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error)

DecryptContext decrypts the EncryptedKey field with Azure Key Vault and returns the result.

func (*MasterKey) Encrypt ¶

func (key *MasterKey) Encrypt(dataKey []byte) error

Encrypt takes a SOPS data key, encrypts it with Azure Key Vault, and stores the result in the EncryptedKey field.

Consider using EncryptContext instead.

func (*MasterKey) EncryptContext ¶ added in v3.11.0

func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error

EncryptContext takes a SOPS data key, encrypts it with Azure Key Vault, and stores the result in the EncryptedKey field.

func (*MasterKey) EncryptIfNeeded ¶

func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error

EncryptIfNeeded encrypts the provided SOPS data key, if it has not been encrypted yet.

func (*MasterKey) EncryptedDataKey ¶

func (key *MasterKey) EncryptedDataKey() []byte

EncryptedDataKey returns the encrypted data key this master key holds.

func (*MasterKey) NeedsRotation ¶

func (key *MasterKey) NeedsRotation() bool

NeedsRotation returns whether the data key needs to be rotated or not.

func (*MasterKey) SetEncryptedDataKey ¶

func (key *MasterKey) SetEncryptedDataKey(enc []byte)

SetEncryptedDataKey sets the encrypted data key for this master key.

func (MasterKey) ToMap ¶

func (key MasterKey) ToMap() map[string]interface{}

ToMap converts the MasterKey to a map for serialization purposes.

func (*MasterKey) ToString ¶

func (key *MasterKey) ToString() string

ToString converts the key to a string representation.

func (*MasterKey) TypeToIdentifier ¶ added in v3.9.0

func (key *MasterKey) TypeToIdentifier() string

TypeToIdentifier returns the string identifier for the MasterKey type.

type TokenCredential ¶

type TokenCredential struct {
	// contains filtered or unexported fields
}

TokenCredential is an azcore.TokenCredential used for authenticating towards Azure Key Vault.

func NewTokenCredential ¶

func NewTokenCredential(token azcore.TokenCredential) *TokenCredential

NewTokenCredential creates a new TokenCredential with the provided azcore.TokenCredential.

func (TokenCredential) ApplyToMasterKey ¶

func (t TokenCredential) ApplyToMasterKey(key *MasterKey)

ApplyToMasterKey configures the TokenCredential on the provided key.

Source Files ¶

View all Source files

keysource.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL