Documentation
¶
Index ¶
- func HashBasic(ctx context.Context, value []byte) string
- type Argon2ParamsInterface
- type DEKOperations
- func (d *DEKOperations) DecryptDEKWithVersion(ctx context.Context, ciphertextDEK []byte, kekVersion int, ...) ([]byte, error)
- func (d *DEKOperations) EncryptDEK(ctx context.Context, plaintextDEK []byte, versionManager KMSVersionManager) ([]byte, error)
- func (d *DEKOperations) GenerateDEK() ([]byte, error)
- type DataEncryption
- func (e *DataEncryption) DecryptData(ctx context.Context, ciphertext []byte, dek []byte) ([]byte, error)
- func (e *DataEncryption) DecryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
- func (e *DataEncryption) EncryptData(ctx context.Context, plaintext []byte, dek []byte) ([]byte, error)
- func (e *DataEncryption) EncryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
- type HashingOperations
- func (h *HashingOperations) CompareBasicHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
- func (h *HashingOperations) CompareSecureHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
- func (h *HashingOperations) HashBasic(ctx context.Context, value []byte) string
- func (h *HashingOperations) HashSecure(ctx context.Context, value []byte) (string, error)
- type KMSVersionManager
- type KeyManagementService
- type KeyRotationOperations
- type KeyRotationService
- type ObservabilityHook
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Argon2ParamsInterface ¶
type Argon2ParamsInterface interface {
GetMemory() uint32
GetIterations() uint32
GetParallelism() uint8
GetSaltLength() uint32
GetKeyLength() uint32
}
Argon2ParamsInterface defines the interface for Argon2 parameters
type DEKOperations ¶
type DEKOperations struct {
// contains filtered or unexported fields
}
DEKOperations handles Data Encryption Key operations
func NewDEKOperations ¶
func NewDEKOperations(kmsService KeyManagementService, kekAlias string) (*DEKOperations, error)
NewDEKOperations creates a new DEKOperations instance
func (*DEKOperations) DecryptDEKWithVersion ¶
func (d *DEKOperations) DecryptDEKWithVersion(ctx context.Context, ciphertextDEK []byte, kekVersion int, versionManager KMSVersionManager) ([]byte, error)
DecryptDEKWithVersion decrypts the DEK using the KEK version it was encrypted with. You'll need to store the KEKVersion alongside the EncryptedDEK in your data records.
func (*DEKOperations) EncryptDEK ¶
func (d *DEKOperations) EncryptDEK(ctx context.Context, plaintextDEK []byte, versionManager KMSVersionManager) ([]byte, error)
EncryptDEK encrypts the DEK using the current active KEK.
func (*DEKOperations) GenerateDEK ¶
func (d *DEKOperations) GenerateDEK() ([]byte, error)
GenerateDEK generates a new Data Encryption Key.
type DataEncryption ¶
type DataEncryption struct{}
DataEncryption handles data encryption and decryption operations
func NewDataEncryption ¶
func NewDataEncryption() *DataEncryption
NewDataEncryption creates a new DataEncryption instance
func (*DataEncryption) DecryptData ¶
func (e *DataEncryption) DecryptData(ctx context.Context, ciphertext []byte, dek []byte) ([]byte, error)
DecryptData decrypts the provided ciphertext using the provided DEK.
func (*DataEncryption) DecryptStream ¶
func (e *DataEncryption) DecryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
DecryptStream decrypts data from an io.Reader to an io.Writer using the provided DEK.
func (*DataEncryption) EncryptData ¶
func (e *DataEncryption) EncryptData(ctx context.Context, plaintext []byte, dek []byte) ([]byte, error)
EncryptData encrypts the provided data using the provided DEK.
type HashingOperations ¶
type HashingOperations struct {
// contains filtered or unexported fields
}
HashingOperations handles basic and secure hashing operations
func NewHashingOperations ¶
func NewHashingOperations(pepper []byte, argon2Params Argon2ParamsInterface) (*HashingOperations, error)
NewHashingOperations creates a new HashingOperations instance
func (*HashingOperations) CompareBasicHashAndValue ¶
func (h *HashingOperations) CompareBasicHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
CompareBasicHashAndValue compares a basic hash with a value
func (*HashingOperations) CompareSecureHashAndValue ¶
func (h *HashingOperations) CompareSecureHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
CompareSecureHashAndValue compares a secure hash with a value
func (*HashingOperations) HashBasic ¶
func (h *HashingOperations) HashBasic(ctx context.Context, value []byte) string
HashBasic performs a basic SHA256 hash on the byte representation of the input.
func (*HashingOperations) HashSecure ¶
HashSecure performs a secure Argon2id hash on the byte representation of the input, incorporating the configured Argon2 parameters and pepper.
type KMSVersionManager ¶
type KMSVersionManager interface {
GetCurrentKEKVersion(ctx context.Context, alias string) (int, error)
GetKMSKeyIDForVersion(ctx context.Context, alias string, version int) (string, error)
}
KMSVersionManager handles KEK version management for crypto operations
type KeyManagementService ¶
type KeyManagementService interface {
EncryptDEK(ctx context.Context, keyID string, plaintext []byte) ([]byte, error)
DecryptDEK(ctx context.Context, keyID string, ciphertext []byte) ([]byte, error)
}
KeyManagementService defines the interface for KMS operations needed by crypto package
type KeyRotationOperations ¶
type KeyRotationOperations struct {
// contains filtered or unexported fields
}
KeyRotationOperations handles key rotation operations
func NewKeyRotationOperations ¶
func NewKeyRotationOperations(kmsService KeyRotationService, kekAlias string, keyMetadataDB *sql.DB, observability ObservabilityHook) (*KeyRotationOperations, error)
NewKeyRotationOperations creates a new KeyRotationOperations instance
func (*KeyRotationOperations) EnsureInitialKEK ¶
func (kr *KeyRotationOperations) EnsureInitialKEK(ctx context.Context, versionManager KMSVersionManager) error
EnsureInitialKEK checks if a KEK exists for the given alias and creates one if not.
func (*KeyRotationOperations) RotateKEK ¶
func (kr *KeyRotationOperations) RotateKEK(ctx context.Context, versionManager KMSVersionManager) error
RotateKEK generates a new KEK and updates the metadata database.
type KeyRotationService ¶
type KeyRotationService interface {
KeyManagementService
CreateKey(ctx context.Context, alias string) (string, error)
GetKeyID(ctx context.Context, alias string) (string, error)
}
KeyRotationService extends KeyManagementService for rotation operations
type ObservabilityHook ¶
type ObservabilityHook interface {
OnProcessStart(ctx context.Context, operation string, metadata map[string]any)
OnProcessComplete(ctx context.Context, operation string, duration time.Duration, err error, metadata map[string]any)
OnError(ctx context.Context, operation string, err error, metadata map[string]any)
OnKeyOperation(ctx context.Context, operation string, alias string, version int, metadata map[string]any)
}
ObservabilityHook defines observability operations for monitoring
Source Files