Documentation ¶
Overview ¶
keyprotect-go-client is a Go client library for interacting with the IBM KeyProtect service.
Example ¶
package main import ( "context" "fmt" "os" kp "github.com/IBM/keyprotect-go-client" ) func NewClient() (*kp.Client, error) { instanceId, ok := os.LookupEnv("KP_INSTANCE_ID") if !ok { panic("Must set KP_INSTANCE_ID") } apiKey, ok := os.LookupEnv("IBMCLOUD_API_KEY") if !ok { panic("Must set IBMCLOUD_API_KEY") } if apiKey == "" { panic("IBMCLOUD_API_KEY was empty") } cc := kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: apiKey, InstanceID: instanceId, } return kp.New(cc, kp.DefaultTransport()) } func main() { c, _ := NewClient() ctx := context.Background() // List keys in the current instance keys, err := c.GetKeys(ctx, 0, 0) if err != nil { panic(err) } for _, key := range keys.Keys { fmt.Printf("%+v\n", key) } // Create a new non-exportable key crk, err := c.CreateKey(ctx, "kp-go-example-crk", nil, false) if err != nil { panic(err) } fmt.Printf("CRK created successfully: id=%s\n", crk.ID) // Create a new DEK and WDEK pair, using the root key from above. // The DEK is a piece of secret information that is used for encrypt/decrypt. // The WDEK (or wrapped DEK) is used to retrieve the DEK when you need it again. ptDek, wdek, err := c.WrapCreateDEK(ctx, crk.ID, nil) if err != nil { panic(err) } // Unwrap our WDEK, getting back the corresponding DEK unwrapped, _, err := c.UnwrapV2(ctx, crk.ID, wdek, nil) if string(unwrapped) != string(ptDek) { panic("Unwrapped DEK did not match DEK from Wrap!") } // Delete the root key in KeyProtect. // Any WDEKs created with the root key will no longer be able to be unwrapped. // If you didn't store your DEKs elsewhere, all the data encrypted by those DEKs // is now crypto-erased. // // For some this is a feature. For others it might be a nightmare. // Make very sure that the key should be deleted. _, err = c.DeleteKey(ctx, crk.ID, 0) if err != nil { panic(fmt.Sprintf("Error deleting key: %s\n", err)) } fmt.Printf("Key deleted: id=%s\n", crk.ID) }
Output:
Index ¶
- Constants
- Variables
- func DefaultTransport() http.RoundTripper
- func EncryptKey(key, pubkey string) (string, error)
- func EncryptKeyWithSHA1(key, pubKey string) (string, error)
- func EncryptNonce(key, value, iv string) (string, string, error)
- func EncryptNonceWithCBCPAD(key, value, iv string) (string, string, error)
- func NewContextWithAuth(parent context.Context, auth string) context.Context
- type API
- type Attributes
- type CallOpt
- type Client
- func (c *Client) CancelDualAuthDelete(ctx context.Context, id string) error
- func (c *Client) CreateImportToken(ctx context.Context, expiration, maxAllowedRetrievals int) (*ImportTokenMetadata, error)
- func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, ...) (*Key, error)
- func (c *Client) CreateImportedRootKey(ctx context.Context, name string, expiration *time.Time, ...) (*Key, error)
- func (c *Client) CreateImportedStandardKey(ctx context.Context, name string, expiration *time.Time, payload string) (*Key, error)
- func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Time, extractable bool) (*Key, error)
- func (c *Client) CreateRootKey(ctx context.Context, name string, expiration *time.Time) (*Key, error)
- func (c *Client) CreateStandardKey(ctx context.Context, name string, expiration *time.Time) (*Key, error)
- func (c *Client) DeleteKey(ctx context.Context, id string, prefer PreferReturn, callOpts ...CallOpt) (*Key, error)
- func (c *Client) DisableKey(ctx context.Context, id string) error
- func (c *Client) EnableKey(ctx context.Context, id string) error
- func (c *Client) GetAllowedNetworkInstancePolicy(ctx context.Context) (*InstancePolicy, error)
- func (c *Client) GetDualAuthDeletePolicy(ctx context.Context, id string) (*Policy, error)
- func (c *Client) GetDualAuthInstancePolicy(ctx context.Context) (*InstancePolicy, error)
- func (c *Client) GetImportTokenTransportKey(ctx context.Context) (*ImportTokenKeyResponse, error)
- func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, error)
- func (c *Client) GetKey(ctx context.Context, id string) (*Key, error)
- func (c *Client) GetKeyMetadata(ctx context.Context, id string) (*Key, error)
- func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, error)
- func (c *Client) GetPolicies(ctx context.Context, id string) ([]Policy, error)
- func (c *Client) GetPolicy(ctx context.Context, id string) (*Policy, error)
- func (c *Client) GetRotationPolicy(ctx context.Context, id string) (*Policy, error)
- func (c *Client) InitiateDualAuthDelete(ctx context.Context, id string) error
- func (c *Client) ListRegistrations(ctx context.Context, keyId, crn string) (*registrations, error)
- func (c *Client) RestoreKey(ctx context.Context, id, payload, encryptedNonce, iv string) (*Key, error)
- func (c *Client) Rotate(ctx context.Context, id, payload string) error
- func (c *Client) SetAllowedNetworkInstancePolicy(ctx context.Context, enable bool, networkType string) error
- func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, id string, enabled bool) (*Policy, error)
- func (c *Client) SetDualAuthInstancePolicy(ctx context.Context, enable bool) error
- func (c *Client) SetInstancePolicies(ctx context.Context, setDualAuth, dualAuthEnable bool, ...) error
- func (c *Client) SetPolicies(ctx context.Context, id string, setRotationPolicy bool, rotationInterval int, ...) ([]Policy, error)
- func (c *Client) SetPolicy(ctx context.Context, id string, prefer PreferReturn, rotationInterval int) (*Policy, error)
- func (c *Client) SetRotationPolicy(ctx context.Context, id string, rotationInterval int) (*Policy, error)
- func (c *Client) Unwrap(ctx context.Context, id string, cipherText []byte, ...) ([]byte, error)
- func (c *Client) UnwrapV2(ctx context.Context, id string, cipherText []byte, ...) ([]byte, []byte, error)
- func (c *Client) Wrap(ctx context.Context, id string, plainText []byte, additionalAuthData *[]string) ([]byte, error)
- func (c *Client) WrapCreateDEK(ctx context.Context, id string, additionalAuthData *[]string) ([]byte, []byte, error)
- type ClientConfig
- type ContextKey
- type DualAuth
- type Dump
- type Error
- type ForceOpt
- type ImportTokenCreateRequest
- type ImportTokenKeyResponse
- type ImportTokenMetadata
- type InstancePolicies
- type InstancePolicy
- type Key
- type KeyVersion
- type Keys
- type KeysActionRequest
- type KeysMetadata
- type Logger
- type Policies
- type PoliciesMetadata
- type Policy
- type PolicyData
- type PreferReturn
- type Redact
- type Registration
- type Rotation
- type URLError
Examples ¶
Constants ¶
const ( //DualAuthDelete defines the policy type as dual auth delete DualAuthDelete = "dualAuthDelete" //AllowedNetwork defines the policy type as allowed network AllowedNetwork = "allowedNetwork" )
const ( // DefaultBaseURL ... DefaultBaseURL = "https://us-south.kms.cloud.ibm.com" // DefaultTokenURL .. DefaultTokenURL = iam.IAMTokenURL // VerboseNone ... VerboseNone = 0 // VerboseBodyOnly ... VerboseBodyOnly = 1 // VerboseAll ... VerboseAll = 2 // VerboseFailOnly ... VerboseFailOnly = 3 // VerboseAllNoRedact ... VerboseAllNoRedact = 4 )
const (
RotationPolicy = "rotation"
)
Variables ¶
var ( // RetryWaitMax is the maximum time to wait between HTTP retries RetryWaitMax = 30 * time.Second // RetryMax is the max number of attempts to retry for failed HTTP requests RetryMax = 4 )
Functions ¶
func EncryptKey ¶
EncryptKey will encrypt the user key-material with the public key from key protect
func EncryptKeyWithSHA1 ¶ added in v0.5.0
EncryptKeyWithSHA1 uses sha1 to encrypt the key
func EncryptNonce ¶
EncryptNonce will wrap the KP generated nonce with the users key-material
func EncryptNonceWithCBCPAD ¶ added in v0.5.0
EncryptNonceWithCBCPAD encrypts the nonce using the user's key-material with CBC encrypter. It will also pad the nonce using pkcs7. This is needed for Hyper Protect Crypto Services, since it supports only CBC Encryption.
Types ¶
type Attributes ¶ added in v0.5.0
type Attributes struct {
AllowedNetwork string `json:"allowed_network,omitempty"`
}
Attributes contains the detals of allowed network policy type
type Client ¶
type Client struct { URL *url.URL HttpClient http.Client Dump Dump Config ClientConfig Logger Logger // contains filtered or unexported fields }
Client holds configuration and auth information to interact with KeyProtect. It is expected that one of these is created per KeyProtect service instance/credential pair.
func New ¶
func New(config ClientConfig, transport http.RoundTripper) (*Client, error)
New creates and returns a Client without logging.
func NewWithLogger ¶
func NewWithLogger(config ClientConfig, transport http.RoundTripper, logger Logger) (*Client, error)
NewWithLogger creates and returns a Client with logging. The error value will be non-nil if the config is invalid.
func (*Client) CancelDualAuthDelete ¶ added in v0.5.0
CancelDualAuthDelete unsets the key for deletion. If a key is set for deletion, it can be prevented from getting deleted by unsetting the key for deletion. For more information refer to the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-dual-auth-keys#unset-key-deletion-api
func (*Client) CreateImportToken ¶
func (c *Client) CreateImportToken(ctx context.Context, expiration, maxAllowedRetrievals int) (*ImportTokenMetadata, error)
CreateImportToken creates a key ImportToken.
func (*Client) CreateImportedKey ¶
func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool) (*Key, error)
CreateImportedKey creates a new KP key from the given key material.
func (*Client) CreateImportedRootKey ¶
func (c *Client) CreateImportedRootKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string) (*Key, error)
CreateImportedRootKey creates a new, non-extractable key resource with the given key material.
func (*Client) CreateImportedStandardKey ¶
func (c *Client) CreateImportedStandardKey(ctx context.Context, name string, expiration *time.Time, payload string) (*Key, error)
CreateStandardKey creates a new, extractable key resource with the given key material.
func (*Client) CreateKey ¶
func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Time, extractable bool) (*Key, error)
CreateKey creates a new KP key.
func (*Client) CreateRootKey ¶
func (c *Client) CreateRootKey(ctx context.Context, name string, expiration *time.Time) (*Key, error)
CreateRootKey creates a new, non-extractable key resource without key material.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) ctx := context.Background() rootkey, err := client.CreateRootKey(ctx, "mynewrootkey", nil) if err != nil { fmt.Println("Error while creating root key: ", err) } else { fmt.Println("New key created: ", *rootkey) } }
Output:
func (*Client) CreateStandardKey ¶
func (c *Client) CreateStandardKey(ctx context.Context, name string, expiration *time.Time) (*Key, error)
CreateStandardKey creates a new, extractable key resource without key material.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) fmt.Println("Creating standard key") rootkey, err := client.CreateStandardKey(context.Background(), "mynewstandardkey", nil) if err != nil { fmt.Println("Error while creating standard key: ", err) } else { fmt.Println("New key created: ", *rootkey) } }
Output:
func (*Client) DeleteKey ¶
func (c *Client) DeleteKey(ctx context.Context, id string, prefer PreferReturn, callOpts ...CallOpt) (*Key, error)
DeleteKey deletes a key resource by specifying the ID of the key.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd" fmt.Println("Deleting standard key") delKey, err := client.DeleteKey(context.Background(), keyId, kp.ReturnRepresentation) if err != nil { fmt.Println("Error while deleting: ", err) } else { fmt.Println("Deleted key: ", delKey) } }
Output:
func (*Client) DisableKey ¶ added in v0.5.0
Disable a key. The key will not be deleted but it will not be active and key operations cannot be performed on a disabled key. For more information can refer to the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-disable-keys
func (*Client) EnableKey ¶ added in v0.5.0
Enable a key. Only disabled keys can be enabled. After enable the key becomes active and key operations can be performed on it. Note: This does not recover Deleted keys. For more information can refer to the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-disable-keys#enable-api
func (*Client) GetAllowedNetworkInstancePolicy ¶ added in v0.5.0
func (c *Client) GetAllowedNetworkInstancePolicy(ctx context.Context) (*InstancePolicy, error)
GetAllowedNetworkInstancePolicy retrieves the allowed network policy details associated with the instance. For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-network-access-policies
func (*Client) GetDualAuthDeletePolicy ¶ added in v0.5.0
GetDualAuthDeletePolicy method retrieves dual auth delete policy details of a key For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#view-dual-auth-key-policy-api
func (*Client) GetDualAuthInstancePolicy ¶ added in v0.5.0
func (c *Client) GetDualAuthInstancePolicy(ctx context.Context) (*InstancePolicy, error)
GetDualAuthInstancePolicy retrieves the dual auth delete policy details associated with the instance For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-dual-auth
func (*Client) GetImportTokenTransportKey ¶
func (c *Client) GetImportTokenTransportKey(ctx context.Context) (*ImportTokenKeyResponse, error)
GetImportTokenTransportKey retrieves the ImportToken transport key.
func (*Client) GetInstancePolicies ¶ added in v0.4.0
func (c *Client) GetInstancePolicies(ctx context.Context) ([]InstancePolicy, error)
GetInstancePolicies retrieves all policies of an Instance.
func (*Client) GetKey ¶
GetKey retrieves a key by ID.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd" fmt.Println("Getting standard key") key, err := client.GetKey(context.Background(), keyId) if err != nil { fmt.Println("Get Key failed with error: ", err) } else { fmt.Printf("Key: %v\n", *key) } }
Output:
func (*Client) GetKeyMetadata ¶ added in v0.5.0
GetKeyMetadata retrieves the metadata of a Key. Note that the "/api/v2/keys/{id}/metadata" API does not return the payload, therefore the payload attribute in the Key pointer will always be empty. If you need the payload, you need to use the GetKey() function with the correct service access role. https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-access#service-access-roles
func (*Client) GetPolicies ¶ added in v0.5.0
GetPolicies retrieves all policies details associated with a Key ID.
func (*Client) GetPolicy ¶
GetPolicy retrieves a policy by Key ID. This function is deprecated, as it only returns one policy and does not let you select which policy set it will return. It is kept for backward compatibility on keys with only one rotation policy. Please update to use the new GetPolicies or Get<type>Policy functions.
func (*Client) GetRotationPolicy ¶ added in v0.5.0
GetRotationPolivy method retrieves rotation policy details of a key For more information can refet the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#view-rotation-policy-api
func (*Client) InitiateDualAuthDelete ¶ added in v0.5.0
InitiateDualAuthDelete sets a key for deletion. The key must be configured with a DualAuthDelete policy. After the key is set to deletion it can be deleted by another user who has Manager access. For more information refer to the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-dual-auth-keys#set-key-deletion-api
func (*Client) ListRegistrations ¶ added in v0.5.0
ListRegistrations retrieves a collection of registrations
func (*Client) RestoreKey ¶ added in v0.5.0
func (c *Client) RestoreKey(ctx context.Context, id, payload, encryptedNonce, iv string) (*Key, error)
RestoreKey restores a deleted imported root key by specifying the ID of the key
func (*Client) SetAllowedNetworkInstancePolicy ¶ added in v0.5.0
func (c *Client) SetAllowedNetworkInstancePolicy(ctx context.Context, enable bool, networkType string) error
SetAllowedNetWorkInstancePolicy updates the allowed network policy details associated with an instance For more information can refer to the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-network-access-policies
func (*Client) SetDualAuthDeletePolicy ¶ added in v0.5.0
func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, id string, enabled bool) (*Policy, error)
SetDualAuthDeletePolicy updates the dual auth delete policy by passing the key ID and enable detail For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#create-dual-auth-key-policy-api
func (*Client) SetDualAuthInstancePolicy ¶ added in v0.5.0
SetDualAuthInstancePolicy updates the dual auth delete policy details associated with an instance For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-dual-auth
func (*Client) SetInstancePolicies ¶ added in v0.4.0
func (c *Client) SetInstancePolicies(ctx context.Context, setDualAuth, dualAuthEnable bool, setAllowedNetwork, allowedNetworkEnable bool, networkType string) error
SetInstancePolicies updates single or multiple policy details of an instance.
func (*Client) SetPolicies ¶ added in v0.5.0
func (c *Client) SetPolicies(ctx context.Context, id string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool) ([]Policy, error)
SetPolicies updates all policies of the key or a single policy by passing key ID. To set rotation policy for the key pass the setRotationPolicy parameter as true and set the rotationInterval detail. To set dual auth delete policy for the key pass the setDualAuthDeletePolicy parameter as true and set the dualAuthEnable detail. Both the policies can be set or either of the policies can be set.
func (*Client) SetPolicy ¶
func (c *Client) SetPolicy(ctx context.Context, id string, prefer PreferReturn, rotationInterval int) (*Policy, error)
SetPolicy updates a policy resource by specifying the ID of the key and the rotation interval needed. This function is deprecated as it will only let you set key rotation policies. To set dual auth and other newer policies on a key, please use the new SetPolicies of Set<type>Policy functions.
func (*Client) SetRotationPolicy ¶ added in v0.5.0
func (c *Client) SetRotationPolicy(ctx context.Context, id string, rotationInterval int) (*Policy, error)
SetRotationPolicy updates the rotation policy associated with a key by specifying key ID and rotation interval. For more information can refer the Key Protect docs in the link below: https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api
func (*Client) Unwrap ¶
func (c *Client) Unwrap(ctx context.Context, id string, cipherText []byte, additionalAuthData *[]string) ([]byte, error)
Unwrap is deprecated since it returns only plaintext and doesn't know how to handle rotation.
func (*Client) UnwrapV2 ¶
func (c *Client) UnwrapV2(ctx context.Context, id string, cipherText []byte, additionalAuthData *[]string) ([]byte, []byte, error)
Unwrap with rotation support.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd" wrappedDek := []byte("dGhpcyBpc24ndCBhIHJlYWwgcGF5bG9hZAo=") aad := []string{ "AAD can be pretty much any string value.", "This entire array of strings is the AAD.", "It has to be the same on wrap and unwrap, however", "This can be useful, if the DEK should be bound to an application name", "or possibly a hostname, IP address, or even email address.", "For example", "appname=golang-examples;", "It is not secret though, so don't put anything sensitive here", } ctx := context.Background() dek, rewrapped, err := client.UnwrapV2(ctx, keyId, wrappedDek, &aad) if err != nil { fmt.Println("Error while unwrapping DEK: ", err) } else { fmt.Println("Unwrapped key successfully") } if len(dek) != 32 { fmt.Println("DEK length was not 32 bytes (not a 256 bit key)") } // dek is your plaintext DEK, use it for encrypt/decrypt then throw it away // rewrapped is POSSIBLY a new WDEK, if it is not empty, store that and use it on next Unwrap if len(rewrapped) > 0 { fmt.Printf("Your DEK was rewrapped with a new key version. Your new WDEK is %v\n", rewrapped) // store new WDEK wrappedDek = rewrapped } }
Output:
func (*Client) Wrap ¶
func (c *Client) Wrap(ctx context.Context, id string, plainText []byte, additionalAuthData *[]string) ([]byte, error)
Wrap calls the wrap action with the given plain text.
func (*Client) WrapCreateDEK ¶
func (c *Client) WrapCreateDEK(ctx context.Context, id string, additionalAuthData *[]string) ([]byte, []byte, error)
WrapCreateDEK calls the wrap action without plain text.
Example ¶
package main import ( "context" "fmt" kp "github.com/IBM/keyprotect-go-client" ) func main() { client, _ := kp.New( kp.ClientConfig{ BaseURL: "https://us-south.kms.cloud.ibm.com", APIKey: "notARealApiKey", InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd", }, kp.DefaultTransport(), ) keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd" aad := []string{ "AAD can be pretty much any string value.", "This entire array of strings is the AAD.", "It has to be the same on wrap and unwrap, however", "This can be useful, if the DEK should be bound to an application name", "or possibly a hostname, IP address, or even email address.", "For example", "appname=golang-examples;", "It is not secret though, so don't put anything sensitive here", } ctx := context.Background() dek, wrappedDek, err := client.WrapCreateDEK(ctx, keyId, &aad) if err != nil { fmt.Println("Error while creating a DEK: ", err) } else { fmt.Println("Created new random DEK") } if len(dek) != 32 { fmt.Println("DEK length was not 32 bytes (not a 256 bit key)") } fmt.Printf("Your WDEK is: %v\n", wrappedDek) // dek is your plaintext DEK, use it for encrypt/decrypt and throw it away // wrappedDek is your WDEK, keep this and pass it to Unwrap to get back your DEK when you need it again }
Output:
type ClientConfig ¶
type ClientConfig struct { BaseURL string Authorization string // The IBM Cloud (Bluemix) access token APIKey string // Service ID API key, can be used instead of an access token TokenURL string // The URL used to get an access token from the API key InstanceID string // The IBM Cloud (Bluemix) instance ID that identifies your Key Protect service instance. Verbose int // See verbose values above Timeout float64 // KP request timeout in seconds. }
ClientConfig ...
type Error ¶
type Error struct { URL string // URL of request that resulted in this error StatusCode int // HTTP error code from KeyProtect service Message string // error message from KeyProtect service BodyContent []byte // raw body content if more inspection is needed CorrelationID string // string value of a UUID that uniquely identifies the request to KeyProtect Reasons []reason // collection of reason types containing detailed error messages }
type ImportTokenCreateRequest ¶
type ImportTokenCreateRequest struct { MaxAllowedRetrievals int `json:"maxAllowedRetrievals,omitempty"` ExpiresInSeconds int `json:"expiration,omitempty"` }
ImportTokenCreateRequest represents request parameters for creating a ImportToken.
type ImportTokenKeyResponse ¶
type ImportTokenKeyResponse struct { ID string `json:"id"` CreationDate *time.Time `json:"creationDate"` ExpirationDate *time.Time `json:"expirationDate"` Payload string `json:"payload"` Nonce string `json:"nonce"` }
ImportTokenKeyResponse represents the response body for various ImportToken API calls.
type ImportTokenMetadata ¶
type ImportTokenMetadata struct { ID string `json:"id"` CreationDate *time.Time `json:"creationDate"` ExpirationDate *time.Time `json:"expirationDate"` MaxAllowedRetrievals int `json:"maxAllowedRetrievals"` RemainingRetrievals int `json:"remainingRetrievals"` }
ImportTokenMetadata represents the metadata of a ImportToken.
type InstancePolicies ¶ added in v0.4.0
type InstancePolicies struct { Metadata PoliciesMetadata `json:"metadata"` Policies []InstancePolicy `json:"resources"` }
InstancePolicies represents a collection of Policies associated with Key Protect instances.
type InstancePolicy ¶ added in v0.4.0
type InstancePolicy struct { CreatedBy string `json:"createdBy,omitempty"` CreatedAt *time.Time `json:"creationDate,omitempty"` UpdatedAt *time.Time `json:"lastUpdated,omitempty"` UpdatedBy string `json:"updatedBy,omitempty"` PolicyType string `json:"policy_type,omitempty"` PolicyData PolicyData `json:"policy_data,omitempty" mapstructure:"policyData"` }
InstancePolicy represents a instance-level policy of a key as returned by the KP API. this policy enables dual authorization for deleting a key
type Key ¶
type Key struct { ID string `json:"id,omitempty"` Name string `json:"name,omitempty"` Description string `json:"description,omitempty"` Type string `json:"type,omitempty"` Tags []string `json:"Tags,omitempty"` AlgorithmType string `json:"algorithmType,omitempty"` CreatedBy string `json:"createdBy,omitempty"` CreationDate *time.Time `json:"creationDate,omitempty"` LastUpdateDate *time.Time `json:"lastUpdateDate,omitempty"` LastRotateDate *time.Time `json:"lastRotateDate,omitempty"` KeyVersion *KeyVersion `json:"keyVersion,omitempty" mapstructure:keyVersion` Extractable bool `json:"extractable"` Expiration *time.Time `json:"expirationDate,omitempty"` Payload string `json:"payload,omitempty"` State int `json:"state,omitempty"` EncryptionAlgorithm string `json:"encryptionAlgorithm,omitempty"` CRN string `json:"crn,omitempty"` EncryptedNonce string `json:"encryptedNonce,omitempty"` IV string `json:"iv,omitempty"` Deleted *bool `json:"deleted,omitempty"` DeletedBy *string `json:"deletedBy,omitempty"` DeletionDate *time.Time `json:"deletionDate,omitempty"` DualAuthDelete *DualAuth `json:"dualAuthDelete,omitempty"` }
Key represents a key as returned by the KP API.
type KeyVersion ¶ added in v0.5.0
type Keys ¶
type Keys struct { Metadata KeysMetadata `json:"metadata"` Keys []Key `json:"resources"` }
Keys represents a collection of Keys.
type KeysActionRequest ¶
type KeysActionRequest struct { PlainText string `json:"plaintext,omitempty"` AAD []string `json:"aad,omitempty"` CipherText string `json:"ciphertext,omitempty"` Payload string `json:"payload,omitempty"` }
KeysActionRequest represents request parameters for a key action API call.
type KeysMetadata ¶
type KeysMetadata struct { CollectionType string `json:"collectionType"` NumberOfKeys int `json:"collectionTotal"` }
KeysMetadata represents the metadata of a collection of keys.
type Policies ¶
type Policies struct { Metadata PoliciesMetadata `json:"metadata"` Policies []Policy `json:"resources"` }
Policies represents a collection of Policies.
type PoliciesMetadata ¶
type PoliciesMetadata struct { CollectionType string `json:"collectionType"` NumberOfPolicies int `json:"collectionTotal"` }
PoliciesMetadata represents the metadata of a collection of keys.
type Policy ¶
type Policy struct { Type string `json:"type,omitempty"` CreatedBy string `json:"createdBy,omitempty"` CreatedAt *time.Time `json:"creationDate,omitempty"` CRN string `json:"crn,omitempty"` UpdatedAt *time.Time `json:"lastUpdateDate,omitempty"` UpdatedBy string `json:"updatedBy,omitempty"` Rotation *Rotation `json:"rotation,omitempty"` DualAuth *DualAuth `json:"dualAuthDelete,omitempty"` }
Policy represents a policy as returned by the KP API.
type PolicyData ¶ added in v0.5.0
type PolicyData struct { Enabled *bool `json:"enabled,omitempty"` Attributes *Attributes `json:"attributes,omitempty"` }
PolicyData contains the details of the policy type
type PreferReturn ¶
type PreferReturn int
PreferReturn designates the value for the "Prefer" header.
const ( ReturnMinimal PreferReturn = 0 ReturnRepresentation PreferReturn = 1 )
type Registration ¶ added in v0.5.0
type Registration struct { KeyID string `json:"keyId,omitempty"` ResourceCrn string `json:"resourceCrn,omitempty"` CreatedBy string `json:"createdBy,omitempty"` CreationDate *time.Time `json:"creationDate,omitempty"` UpdatedBy string `json:"updatedBy,omitempty"` LastUpdateDate *time.Time `json:"lastUpdated,omitempty"` Description string `json:"description,omitempty"` PreventKeyDeletion bool `json:"preventKeyDeletion,omitempty"` KeyVersion KeyVersion `json:"keyVersion,omitempty"` }
Registration represents the registration as returned by KP API