Documentation
¶
Index ¶
- func HashBasic(ctx context.Context, value []byte) string
- type Argon2ParamsInterface
- type DEKOperations
- func (d *DEKOperations) DecryptDEKWithVersion(ctx context.Context, ciphertextDEK []byte, kekVersion int, ...) ([]byte, error)
- func (d *DEKOperations) EncryptDEK(ctx context.Context, plaintextDEK []byte, versionManager KMSVersionManager) ([]byte, error)
- func (d *DEKOperations) GenerateDEK() ([]byte, error)
- type DataEncryption
- func (e *DataEncryption) DecryptData(ctx context.Context, ciphertext []byte, dek []byte) ([]byte, error)
- func (e *DataEncryption) DecryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
- func (e *DataEncryption) EncryptData(ctx context.Context, plaintext []byte, dek []byte) ([]byte, error)
- func (e *DataEncryption) EncryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
- type HashingOperations
- func (h *HashingOperations) CompareBasicHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
- func (h *HashingOperations) CompareSecureHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
- func (h *HashingOperations) HashBasic(ctx context.Context, value []byte) string
- func (h *HashingOperations) HashSecure(ctx context.Context, value []byte) (string, error)
- type KMSVersionManager
- type KeyManagementService
- type KeyRotationOperations
- type KeyRotationService
- type ObservabilityHook
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Argon2ParamsInterface ¶
type Argon2ParamsInterface interface {
GetMemory() uint32
GetIterations() uint32
GetParallelism() uint8
GetSaltLength() uint32
GetKeyLength() uint32
}
Argon2ParamsInterface defines the interface for Argon2 parameters
type DEKOperations ¶
type DEKOperations struct {
// contains filtered or unexported fields
}
DEKOperations handles Data Encryption Key operations
func NewDEKOperations ¶
func NewDEKOperations(kmsService KeyManagementService, kekAlias string) (*DEKOperations, error)
NewDEKOperations creates a new DEKOperations instance
func (*DEKOperations) DecryptDEKWithVersion ¶
func (d *DEKOperations) DecryptDEKWithVersion(ctx context.Context, ciphertextDEK []byte, kekVersion int, versionManager KMSVersionManager) ([]byte, error)
DecryptDEKWithVersion decrypts the DEK using the KEK version it was encrypted with. You'll need to store the KEKVersion alongside the EncryptedDEK in your data records.
func (*DEKOperations) EncryptDEK ¶
func (d *DEKOperations) EncryptDEK(ctx context.Context, plaintextDEK []byte, versionManager KMSVersionManager) ([]byte, error)
EncryptDEK encrypts the DEK using the current active KEK.
func (*DEKOperations) GenerateDEK ¶
func (d *DEKOperations) GenerateDEK() ([]byte, error)
GenerateDEK generates a new Data Encryption Key.
type DataEncryption ¶
type DataEncryption struct{}
DataEncryption handles data encryption and decryption operations
func NewDataEncryption ¶
func NewDataEncryption() *DataEncryption
NewDataEncryption creates a new DataEncryption instance
func (*DataEncryption) DecryptData ¶
func (e *DataEncryption) DecryptData(ctx context.Context, ciphertext []byte, dek []byte) ([]byte, error)
DecryptData decrypts the provided ciphertext using the provided DEK.
func (*DataEncryption) DecryptStream ¶
func (e *DataEncryption) DecryptStream(ctx context.Context, reader io.Reader, writer io.Writer, dek []byte) error
DecryptStream decrypts data from an io.Reader to an io.Writer using the provided DEK.
func (*DataEncryption) EncryptData ¶
func (e *DataEncryption) EncryptData(ctx context.Context, plaintext []byte, dek []byte) ([]byte, error)
EncryptData encrypts the provided data using the provided DEK.
type HashingOperations ¶
type HashingOperations struct {
// contains filtered or unexported fields
}
HashingOperations handles basic and secure hashing operations
func NewHashingOperations ¶
func NewHashingOperations(pepper []byte, argon2Params Argon2ParamsInterface) (*HashingOperations, error)
NewHashingOperations creates a new HashingOperations instance
func (*HashingOperations) CompareBasicHashAndValue ¶
func (h *HashingOperations) CompareBasicHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
CompareBasicHashAndValue compares a basic hash with a value. The value parameter can be of any type and will be serialized internally using the compact serializer. This serialization must match the serialization used when generating the hash with HashBasic.
func (*HashingOperations) CompareSecureHashAndValue ¶
func (h *HashingOperations) CompareSecureHashAndValue(ctx context.Context, value any, hashValue string) (bool, error)
CompareSecureHashAndValue compares a secure hash with a value. The value parameter can be of any type and will be serialized internally using the compact serializer. This serialization must match the serialization used when generating the hash with HashSecure.
func (*HashingOperations) HashBasic ¶
func (h *HashingOperations) HashBasic(ctx context.Context, value []byte) string
HashBasic performs a basic SHA256 hash on the byte representation of the input. The input value should be serialized bytes. For comparing hashed values, use CompareBasicHashAndValue which handles serialization internally.
func (*HashingOperations) HashSecure ¶
HashSecure performs a secure Argon2id hash on the byte representation of the input, incorporating the configured Argon2 parameters and pepper. The input value should be serialized bytes. For comparing hashed values, use CompareSecureHashAndValue which handles serialization internally.
type KMSVersionManager ¶
type KMSVersionManager interface {
GetCurrentKEKVersion(ctx context.Context, alias string) (int, error)
GetKMSKeyIDForVersion(ctx context.Context, alias string, version int) (string, error)
}
KMSVersionManager handles KEK version management for crypto operations
type KeyManagementService ¶
type KeyManagementService interface {
EncryptDEK(ctx context.Context, keyID string, plaintext []byte) ([]byte, error)
DecryptDEK(ctx context.Context, keyID string, ciphertext []byte) ([]byte, error)
}
KeyManagementService defines the interface for KMS operations needed by crypto package
type KeyRotationOperations ¶
type KeyRotationOperations struct {
// contains filtered or unexported fields
}
KeyRotationOperations handles key rotation operations
func NewKeyRotationOperations ¶
func NewKeyRotationOperations(kmsService KeyRotationService, kekAlias string, keyMetadataDB *sql.DB, observability ObservabilityHook) (*KeyRotationOperations, error)
NewKeyRotationOperations creates a new KeyRotationOperations instance
func (*KeyRotationOperations) EnsureInitialKEK ¶
func (kr *KeyRotationOperations) EnsureInitialKEK(ctx context.Context, versionManager KMSVersionManager) error
EnsureInitialKEK checks if a KEK exists for the given alias and creates one if not.
func (*KeyRotationOperations) RotateKEK ¶
func (kr *KeyRotationOperations) RotateKEK(ctx context.Context, versionManager KMSVersionManager) error
RotateKEK generates a new KEK and updates the metadata database.
type KeyRotationService ¶
type KeyRotationService interface {
KeyManagementService
CreateKey(ctx context.Context, alias string) (string, error)
GetKeyID(ctx context.Context, alias string) (string, error)
}
KeyRotationService extends KeyManagementService for rotation operations
type ObservabilityHook ¶
type ObservabilityHook interface {
OnProcessStart(ctx context.Context, operation string, metadata map[string]any)
OnProcessComplete(ctx context.Context, operation string, duration time.Duration, err error, metadata map[string]any)
OnError(ctx context.Context, operation string, err error, metadata map[string]any)
OnKeyOperation(ctx context.Context, operation string, alias string, version int, metadata map[string]any)
}
ObservabilityHook defines observability operations for monitoring
Source Files