Documentation
¶
Index ¶
- func AADDEKWrap(vaultID, itemID string, epoch uint64, ver int) []byte
- func AADFieldContent(vaultID, itemID, fieldName string, itemVersion uint64, epoch uint64, ver int) []byte
- func AADKEKWrap(vaultID, memberID string, epoch uint64, ver int) []byte
- func AADRecord(vaultID, recordType, recordID string, epoch uint64, ver int) []byte
- func DeriveRecordKey(muk []byte, vaultID string) ([]byte, error)
- func OpenFromMember(recipientPriv [32]byte, wrap *SealedWrap, aad []byte) ([]byte, error)
- type SealedWrap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AADFieldContent ¶
func DeriveRecordKey ¶
DeriveRecordKey derives a vault-specific record encryption key from the MUK.
func OpenFromMember ¶
func OpenFromMember(recipientPriv [32]byte, wrap *SealedWrap, aad []byte) ([]byte, error)
OpenFromMember decrypts a KEK using the recipient's X25519 private key.
Types ¶
type SealedWrap ¶
type SealedWrap struct {
Ver int `json:"ver"`
EphPub [32]byte `json:"eph_pub"`
Salt []byte `json:"salt"`
Nonce []byte `json:"nonce"`
Ciphertext []byte `json:"ciphertext"`
}
SealedWrap holds the result of sealing a KEK to a member's X25519 public key.
func SealToMember ¶
func SealToMember(recipientPub [32]byte, plaintextKEK []byte, aad []byte) (*SealedWrap, error)
SealToMember encrypts a KEK to a recipient's X25519 public key using ephemeral ECDH + HKDF + AES-256-GCM.
Source Files
Click to show internal directories.
Click to hide internal directories.