vault

package

v1.0.12 Latest Latest Go to latest Published: Apr 18, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/AshkanYarmoradi/go-mink

Links

Open Source Insights

Documentation ¶

Overview ¶

Package vault provides a HashiCorp Vault Transit encryption provider for field-level encryption. It uses the Vault Transit engine for key management while generating DEKs locally for envelope encryption.

Index ¶

type Option
- func WithVaultClient(client VaultClient) Option
type Provider
- func New(opts ...Option) *Provider
type VaultClient

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Option ¶

type Option func(*Provider)

Option configures a Vault Provider.

func WithVaultClient ¶

func WithVaultClient(client VaultClient) Option

WithVaultClient sets the Vault Transit client.

type Provider ¶

type Provider struct {
	// contains filtered or unexported fields
}

Provider implements encryption.Provider using HashiCorp Vault Transit.

func New ¶

func New(opts ...Option) *Provider

New creates a new Vault Transit encryption provider.

func (*Provider) Close ¶

func (p *Provider) Close() error

Close marks the provider as closed.

func (*Provider) Decrypt ¶

func (p *Provider) Decrypt(ctx context.Context, keyID string, ciphertext []byte) ([]byte, error)

Decrypt decrypts ciphertext using the Vault Transit key.

func (*Provider) DecryptDataKey ¶

func (p *Provider) DecryptDataKey(ctx context.Context, keyID string, encryptedKey []byte) ([]byte, error)

DecryptDataKey decrypts a previously encrypted DEK using Vault Transit.

func (*Provider) Encrypt ¶

func (p *Provider) Encrypt(ctx context.Context, keyID string, plaintext []byte) ([]byte, error)

Encrypt encrypts plaintext using the Vault Transit key.

func (*Provider) GenerateDataKey ¶

func (p *Provider) GenerateDataKey(ctx context.Context, keyID string) (*encryption.DataKey, error)

GenerateDataKey creates a new random 32-byte DEK and encrypts it via Vault Transit. Unlike KMS, Vault Transit doesn't have a native GenerateDataKey API, so we generate the DEK locally and encrypt it with Vault.

type VaultClient ¶

type VaultClient interface {
	// Encrypt encrypts plaintext using the named Transit key.
	Encrypt(ctx context.Context, keyName string, plaintext []byte) (ciphertext []byte, err error)

	// Decrypt decrypts ciphertext using the named Transit key.
	Decrypt(ctx context.Context, keyName string, ciphertext []byte) (plaintext []byte, err error)
}

VaultClient defines the minimal interface for Vault Transit operations. Users inject their own implementation (e.g., wrapping the official Vault SDK).

Source Files ¶

View all Source files

vault.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL