external

package
v1.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2026 License: MPL-2.0 Imports: 13 Imported by: 0

README

External encryption method

[!WARNING] This file is not an end-user documentation, it is intended for developers. Please follow the user documentation on the OpenTofu website unless you want to work on the encryption code.

This directory contains the external encryption method. You can configure it like this:

terraform {
  encryption {
    method "external" "foo" {
      keys = key_provider.some.provider
      encrypt_command = ["/path/to/binary", "arg1", "arg2"]
      decrypt_command = ["/path/to/binary", "arg1", "arg2"]
    }
  }
}

The external method must implement the following protocol:

  1. On start, the method binary must emit the header line matching the header schema on the standard output.
  2. OpenTofu supplies the input metadata matching the input schema on the standard input.
  3. The method binary must emit the output matching the output schema on the standard output.

Documentation

Index

Constants

View Source 
const Magic = "Ghoten-External-Encryption-Method"

Magic is the magic string the external method needs to output in the Header.

Variables

This section is empty.

Functions

func New 

func New() method.Descriptor

New creates a new descriptor for the AES-GCM encryption method, which requires a 32-byte key.

Types

type Config 

type Config struct {
	Keys           *keyprovider.Output
	EncryptCommand []string
	DecryptCommand []string
}

Config is the configuration for the AES-GCM method.

func (*Config) Build 

func (c *Config) Build() (method.Method, error)

Build checks the validity of the configuration and returns a ready-to-use AES-GCM implementation. 

type Header struct {
	// Magic must always be "Ghoten-External-Encryption-Method"
	Magic string `json:"magic"`
	// Version must always be 1.
	Version int `json:"version"`
}

Header is the initial message the external method writes to stdout as a single-line JSON.

type InputV1 

type InputV1 struct {
	// Key is the encryption or decryption key for this operation. On the wire, this is base64-encoded. If no key is
	// present, this will be nil. The method should exit with a non-zero exit code.
	Key []byte `json:"key,omitempty"`
	// Payload is the payload to encrypt/decrypt.
	Payload []byte `json:"payload"`
}

InputV1 is an encryption/decryption request from Ghoten to the external method. Ghoten writes this message to the standard input of the external method as a JSON message.

type OutputV1 

type OutputV1 struct {
	// Payload is the payload that has been encrypted/decrypted by the external method.
	Payload []byte `json:"payload"`
}

OutputV1 is the returned encrypted/decrypted payload from the external method. The external method writes this to the standard output as JSON.

Source Files

View all Source files

Directories

Path Synopsis
data command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.