Documentation
¶
Overview ¶
Package kms provides an AWS KMS encryption provider for field-level encryption. It uses KMS for envelope encryption: GenerateDataKey creates DEKs via KMS, and Decrypt unwraps them. Field-level encryption uses the plaintext DEK locally.
Index ¶
- type KMSClient
- type Option
- type Provider
- func (p *Provider) Close() error
- func (p *Provider) Decrypt(ctx context.Context, keyID string, ciphertext []byte) ([]byte, error)
- func (p *Provider) DecryptDataKey(ctx context.Context, keyID string, encryptedKey []byte) ([]byte, error)
- func (p *Provider) Encrypt(ctx context.Context, keyID string, plaintext []byte) ([]byte, error)
- func (p *Provider) GenerateDataKey(ctx context.Context, keyID string) (*encryption.DataKey, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KMSClient ¶
type KMSClient interface {
Encrypt(ctx context.Context, params *kms.EncryptInput, optFns ...func(*kms.Options)) (*kms.EncryptOutput, error)
Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error)
GenerateDataKey(ctx context.Context, params *kms.GenerateDataKeyInput, optFns ...func(*kms.Options)) (*kms.GenerateDataKeyOutput, error)
}
KMSClient defines the subset of the KMS API used by the provider.
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider implements encryption.Provider using AWS KMS.
func (*Provider) DecryptDataKey ¶
func (p *Provider) DecryptDataKey(ctx context.Context, keyID string, encryptedKey []byte) ([]byte, error)
DecryptDataKey decrypts an encrypted DEK using the KMS Decrypt API.
func (*Provider) GenerateDataKey ¶
GenerateDataKey creates a new DEK using KMS GenerateDataKey API. Returns a 256-bit (32-byte) AES key.
Source Files
Click to show internal directories.
Click to hide internal directories.