keys

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 1, 2025 License: MPL-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package keys contains various encryption KeyHandler implementations.

Index

Constants

View Source 
const (
	// TokenTypeKMS is KMS assisted encryption token.
	TokenTypeKMS = "sideroKMS"
	// TokenTypeTPM is TPM assisted encryption token.
	TokenTypeTPM = "talos-tpm2"
)

Variables

View Source 
var ErrTokenInvalid = errors.New("invalid token")

ErrTokenInvalid is returned by the keys handler if the supplied token is not valid.

Functions

This section is empty.

Types

type Handler 

type Handler interface {
	NewKey(context.Context) (*encryption.Key, token.Token, error)
	GetKey(context.Context, token.Token) (*encryption.Key, error)
	Slot() int
}

Handler manages key lifecycle.

func NewHandler 

func NewHandler(cfg block.EncryptionKey, options ...KeyOption) (Handler, error)

NewHandler key using provided config.

func NewSaltedHandler added in v1.11.0 

func NewSaltedHandler(wrapped Handler, saltGetter helpers.SaltGetter) Handler

NewSaltedHandler creates a new handler that wraps the provided key handler and uses the provided salt getter.

type KMSKeyHandler added in v1.5.0 

type KMSKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

KMSKeyHandler seals token using KMS service.

func NewKMSKeyHandler added in v1.5.0 

func NewKMSKeyHandler(key KeyHandler, kmsEndpoint string, getSystemInfo helpers.SystemInformationGetter) (*KMSKeyHandler, error)

NewKMSKeyHandler creates new KMSKeyHandler.

func (*KMSKeyHandler) GetKey added in v1.5.0 

func (h *KMSKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*KMSKeyHandler) NewKey added in v1.5.0 

func (h *KMSKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)

NewKey implements Handler interface.

type KMSToken added in v1.5.0 

type KMSToken struct {
	SealedData []byte `json:"sealedData"`
}

KMSToken is the userdata stored in the partition token metadata.

type KeyHandler added in v1.5.0 

type KeyHandler struct {
	// contains filtered or unexported fields
}

KeyHandler is the base class for all key handlers.

func (*KeyHandler) Slot added in v1.5.0 

func (k *KeyHandler) Slot() int

Slot implements Handler interface.

type KeyOption 

type KeyOption func(o *KeyOptions) error

KeyOption represents key option callback used in KeyHandler.GetKey func.

func WithSaltGetter added in v1.11.0 

func WithSaltGetter(getter helpers.SaltGetter) KeyOption

WithSaltGetter passes the salt getter to the key handler.

func WithSystemInformationGetter added in v1.5.0 

func WithSystemInformationGetter(getter helpers.SystemInformationGetter) KeyOption

WithSystemInformationGetter passes the node UUID to the key handler.

func WithTPMLocker added in v1.10.0 

func WithTPMLocker(locker helpers.TPMLockFunc) KeyOption

WithTPMLocker passes the TPM locker to the key handler.

func WithVolumeID added in v1.8.0 

func WithVolumeID(label string) KeyOption

WithVolumeID passes the partition label to the key handler.

type KeyOptions 

type KeyOptions struct {
	VolumeID             string
	GetSystemInformation helpers.SystemInformationGetter
	TPMLocker            helpers.TPMLockFunc
	SaltGetter           helpers.SaltGetter
}

KeyOptions set of options to be used in KeyHandler.GetKey func.

func NewDefaultOptions 

func NewDefaultOptions(options []KeyOption) (*KeyOptions, error)

NewDefaultOptions creates new KeyOptions.

type NodeIDKeyHandler 

type NodeIDKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

NodeIDKeyHandler generates the key based on current node information and provided template string.

func NewNodeIDKeyHandler 

func NewNodeIDKeyHandler(key KeyHandler, partitionLabel string, systemInfoGetter helpers.SystemInformationGetter) *NodeIDKeyHandler

NewNodeIDKeyHandler creates new NodeIDKeyHandler.

func (*NodeIDKeyHandler) GetKey 

func (h *NodeIDKeyHandler) GetKey(ctx context.Context, _ token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*NodeIDKeyHandler) NewKey added in v1.5.0 

func (h *NodeIDKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)

NewKey implements Handler interface.

type SaltedHandler added in v1.11.0 

type SaltedHandler struct {
	// contains filtered or unexported fields
}

SaltedHandler is a key handler wrapper that salts the key with a provided random salt.

func (*SaltedHandler) GetKey added in v1.11.0 

func (k *SaltedHandler) GetKey(ctx context.Context, token token.Token) (*encryption.Key, error)

GetKey implements the keys.Handler interface.

func (*SaltedHandler) NewKey added in v1.11.0 

func (k *SaltedHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)

NewKey implements the keys.Handler interface.

func (*SaltedHandler) Slot added in v1.11.0 

func (k *SaltedHandler) Slot() int

Slot implements the keys.Handler interface.

type StaticKeyHandler 

type StaticKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

StaticKeyHandler just handles the static key value all the time.

func NewStaticKeyHandler 

func NewStaticKeyHandler(key KeyHandler, data []byte) *StaticKeyHandler

NewStaticKeyHandler creates new EphemeralKeyHandler.

func (*StaticKeyHandler) GetKey 

func (h *StaticKeyHandler) GetKey(context.Context, token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*StaticKeyHandler) NewKey added in v1.5.0 

func (h *StaticKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)

NewKey implements Handler interface.

type TPMKeyHandler added in v1.5.0 

type TPMKeyHandler struct {
	KeyHandler
	// contains filtered or unexported fields
}

TPMKeyHandler seals token using TPM.

func NewTPMKeyHandler added in v1.5.0 

func NewTPMKeyHandler(key KeyHandler, checkSecurebootOnEnroll bool, tpmLocker helpers.TPMLockFunc) (*TPMKeyHandler, error)

NewTPMKeyHandler creates new TPMKeyHandler.

func (*TPMKeyHandler) GetKey added in v1.5.0 

func (h *TPMKeyHandler) GetKey(ctx context.Context, t token.Token) (*encryption.Key, error)

GetKey implements Handler interface.

func (*TPMKeyHandler) NewKey added in v1.5.0 

func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error)

NewKey implements Handler interface.

type TPMToken added in v1.5.0 

type TPMToken struct {
	KeySlots          []int  `json:"keyslots"`
	SealedBlobPrivate []byte `json:"sealed_blob_private"`
	SealedBlobPublic  []byte `json:"sealed_blob_public"`
	PCRs              []int  `json:"pcrs"`
	Alg               string `json:"alg"`
	PolicyHash        []byte `json:"policy_hash"`
	KeyName           []byte `json:"key_name"`
}

TPMToken is the userdata stored in the partition token metadata.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.