encryption

package

v1.0.13 Latest Latest Go to latest Published: Apr 23, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/AshkanYarmoradi/go-mink

Links

Open Source Insights

Documentation ¶

Overview ¶

Package encryption defines interfaces and types for field-level encryption in event sourcing. Providers implement the Provider interface to support envelope encryption with various key management systems (local, AWS KMS, HashiCorp Vault).

Index ¶

Variables
func AESGCMDecrypt(key, ciphertext, aad []byte) ([]byte, error)
func AESGCMEncrypt(key, plaintext, aad []byte) ([]byte, error)
func ClearBytes(b []byte)
type DataKey
type EncryptionError
- func NewDecryptionError(keyID, field string, cause error) *EncryptionError
- func NewEncryptionError(keyID, field string, cause error) *EncryptionError
type KeyNotFoundError
- func NewKeyNotFoundError(keyID string) *KeyNotFoundError
type KeyRevokedError
- func NewKeyRevokedError(keyID string) *KeyRevokedError
type Provider

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrEncryptionFailed indicates a field encryption operation failed.
	ErrEncryptionFailed = errors.New("mink: encryption failed")

	// ErrDecryptionFailed indicates a field decryption operation failed.
	ErrDecryptionFailed = errors.New("mink: decryption failed")

	// ErrKeyNotFound indicates the requested encryption key does not exist.
	ErrKeyNotFound = errors.New("mink: encryption key not found")

	// ErrKeyRevoked indicates the encryption key has been revoked (crypto-shredding).
	ErrKeyRevoked = errors.New("mink: encryption key revoked")

	// ErrProviderClosed indicates the encryption provider has been closed.
	ErrProviderClosed = errors.New("mink: encryption provider closed")
)

Sentinel errors for encryption operations.

Functions ¶

func AESGCMDecrypt ¶

func AESGCMDecrypt(key, ciphertext, aad []byte) ([]byte, error)

AESGCMDecrypt decrypts ciphertext produced by AESGCMEncrypt. The aad parameter must match the value used during encryption.

func AESGCMEncrypt ¶

func AESGCMEncrypt(key, plaintext, aad []byte) ([]byte, error)

AESGCMEncrypt encrypts plaintext using AES-256-GCM with additional authenticated data. The aad parameter binds the ciphertext to its context (e.g., field path, key ID), preventing ciphertext from being moved between contexts undetected. Output format: nonce (12 bytes) || ciphertext+tag

func ClearBytes ¶

func ClearBytes(b []byte)

ClearBytes zeroes out a byte slice to prevent key material from lingering in memory.

Types ¶

type DataKey ¶

type DataKey struct {
	// Plaintext is the 32-byte AES key used for field encryption.
	// Must be zeroed after use via ClearBytes.
	Plaintext []byte

	// Ciphertext is the encrypted form of the DEK, safe to persist.
	Ciphertext []byte

	// KeyID is the master key that encrypted this DEK.
	KeyID string
}

DataKey holds the plaintext and ciphertext forms of a data encryption key (DEK). The plaintext is used for local AES-256-GCM encryption and must NEVER be persisted. The ciphertext is safe to store in event metadata.

type EncryptionError ¶

type EncryptionError struct {
	Operation string // "encrypt" or "decrypt"
	KeyID     string
	Field     string
	Cause     error
}

EncryptionError provides detailed information about an encryption or decryption failure.

func NewDecryptionError ¶

func NewDecryptionError(keyID, field string, cause error) *EncryptionError

NewDecryptionError creates a new EncryptionError for a decrypt operation.

func NewEncryptionError ¶

func NewEncryptionError(keyID, field string, cause error) *EncryptionError

NewEncryptionError creates a new EncryptionError for an encrypt operation.

func (*EncryptionError) Error ¶

func (e *EncryptionError) Error() string

Error returns the error message.

func (*EncryptionError) Is ¶

func (e *EncryptionError) Is(target error) bool

Is reports whether this error matches the target error.

func (*EncryptionError) Unwrap ¶

func (e *EncryptionError) Unwrap() error

Unwrap returns the underlying cause for errors.Unwrap().

type KeyNotFoundError ¶

type KeyNotFoundError struct {
	KeyID string
}

KeyNotFoundError provides detailed information about a missing encryption key.

func NewKeyNotFoundError ¶

func NewKeyNotFoundError(keyID string) *KeyNotFoundError

NewKeyNotFoundError creates a new KeyNotFoundError.

func (*KeyNotFoundError) Error ¶

func (e *KeyNotFoundError) Error() string

Error returns the error message.

func (*KeyNotFoundError) Is ¶

func (e *KeyNotFoundError) Is(target error) bool

Is reports whether this error matches the target error.

func (*KeyNotFoundError) Unwrap ¶

func (e *KeyNotFoundError) Unwrap() error

Unwrap returns the underlying error for errors.Unwrap().

type KeyRevokedError ¶

type KeyRevokedError struct {
	KeyID string
}

KeyRevokedError provides detailed information about a revoked encryption key.

func NewKeyRevokedError ¶

func NewKeyRevokedError(keyID string) *KeyRevokedError

NewKeyRevokedError creates a new KeyRevokedError.

func (*KeyRevokedError) Error ¶

func (e *KeyRevokedError) Error() string

Error returns the error message.

func (*KeyRevokedError) Is ¶

func (e *KeyRevokedError) Is(target error) bool

Is reports whether this error matches the target error.

func (*KeyRevokedError) Unwrap ¶

func (e *KeyRevokedError) Unwrap() error

Unwrap returns the underlying error for errors.Unwrap().

type Provider ¶

type Provider interface {
	// Encrypt encrypts plaintext using the specified master key.
	Encrypt(ctx context.Context, keyID string, plaintext []byte) (ciphertext []byte, err error)

	// Decrypt decrypts ciphertext using the specified master key.
	Decrypt(ctx context.Context, keyID string, ciphertext []byte) (plaintext []byte, err error)

	// GenerateDataKey creates a new data encryption key (DEK) protected by the master key.
	// The returned DataKey contains both the plaintext DEK (for immediate use) and the
	// encrypted DEK (for storage in event metadata). The plaintext must be zeroed after use.
	GenerateDataKey(ctx context.Context, keyID string) (*DataKey, error)

	// DecryptDataKey decrypts a previously encrypted DEK using the specified master key.
	// Returns the plaintext DEK for use in decrypting event fields.
	DecryptDataKey(ctx context.Context, keyID string, encryptedKey []byte) ([]byte, error)

	// Close releases any resources held by the provider.
	Close() error
}

Provider abstracts crypto operations for field-level encryption. Implementations must be safe for concurrent use.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
kms Package kms provides an AWS KMS encryption provider for field-level encryption.	Package kms provides an AWS KMS encryption provider for field-level encryption.
local Package local provides an in-memory AES-256-GCM encryption provider for testing.	Package local provides an in-memory AES-256-GCM encryption provider for testing.
providertest Package providertest provides shared test helpers for encryption.Provider implementations.	Package providertest provides shared test helpers for encryption.Provider implementations.
vault Package vault provides a HashiCorp Vault Transit encryption provider for field-level encryption.	Package vault provides a HashiCorp Vault Transit encryption provider for field-level encryption.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL