Documentation
¶
Index ¶
- func GenerateJWTKeysetsFromCloudKMS(keyUri string, credentialsJSON []byte) (privateEc256 []byte, publicEc256 []byte, err error)
- func GenerateLocalKeys() (masterKey []byte, privateEc256 []byte, publicEc256 []byte, err error)
- func InsecureHandleFromBytes(keysetBytes []byte) (*keyset.Handle, error)
- func NewCloudKMSEncryption(keyUri string, credentialsJSON, privateEc256, publicEc256 []byte) (*cloudkmsEncryptionService, error)
- func NewLocalEncryption(masterKey []byte, privateEc256 []byte, publicEc256 []byte) (*localEncryptionService, error)
- type EncryptionService
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateLocalKeys ¶
func InsecureHandleFromBytes ¶ added in v0.83.15
InsecureHandleFromBytes reconstructs a keyset.Handle from a base64 raw-encoded JSON keyset without using a master key. It should only be used with public or cleartext keysets in trusted environments, as the key material is not encrypted at rest.
func NewCloudKMSEncryption ¶
func NewCloudKMSEncryption(keyUri string, credentialsJSON, privateEc256, publicEc256 []byte) (*cloudkmsEncryptionService, error)
NewCloudKMSEncryption creates a GCP CloudKMS-backed encryption service.
func NewLocalEncryption ¶
func NewLocalEncryption(masterKey []byte, privateEc256 []byte, publicEc256 []byte) (*localEncryptionService, error)
NewLocalEncryption creates a new local encryption service. keysetBytes is the raw keyset in base64-encoded JSON format. This can be generated by calling hatchet-admin keyset create-local.
Types ¶
type EncryptionService ¶
type EncryptionService interface {
// Encrypt encrypts the given plaintext with the given data id. The data id is used to
// associate the ciphertext with the data in the database.
// For more information, see: https://developers.google.com/tink/client-side-encryption#kms_envelope_aead
Encrypt(plaintext []byte, dataId string) ([]byte, error)
// Decrypt decrypts the given ciphertext with the given data id. The data id is used to
// associate the ciphertext with the data in the database.
// For more information, see: https://developers.google.com/tink/client-side-encryption#kms_envelope_aead
Decrypt(ciphertext []byte, dataId string) ([]byte, error)
// EncryptString encrypts a string using base64 internally
EncryptString(plaintext string, dataId string) (string, error)
// DecryptString decrypts a string using base64 internally
DecryptString(ciphertext string, dataId string) (string, error)
// GetPrivateJWTHandle returns a private JWT handle. This is used to sign JWTs.
GetPrivateJWTHandle() *keyset.Handle
// GetPublicJWTHandle returns a public JWT handle. This is used to verify JWTs.
GetPublicJWTHandle() *keyset.Handle
}
Source Files
Click to show internal directories.
Click to hide internal directories.