awskms

Documentation

Overview

Package awskms encrypts the message using AWS KMS.

Only the recipient can decrypt the message using the corresponding private key. While the recipient can verify the integrity of the message, it cannot verify the identity of the sender.

Sender anonymously encrypts the message using a randomly generated data encryption key(DEK). DEK is generated and encrypted via AWS KMS.

Both symmetric and asymmetric methods can be applied to encrypting DEKs.

XChaCha20-Poly1305 is used for AEAD. Additional data (AD) for the AEAD is the keyName used for encrypting the DEK. Additional data is used as salt. Key and nonce for XChaCha20-Poly1305 are generated via HKDF.

Additional data is concatenated with the resulting ciphertext. Encrypted DEK(EDEK) is stored alongside the encrypted message and concatenated with the ciphertext.

DEK is generated every time the encryption is called. Thus, a new DEK will be generated for the same plaintext every time the encryption is called.

Resulting message structure:

[Header:1||Size(EDEK):2||EDEK||ciphertext]
EDEK - Encrypted data encryption key

Index

• Constants
• func New(options Options) (crypto.EncryptDecrypter, error)
• type Options

Constants

const (
	// KeySize is the size, in bytes, of data encryption keys
	KeySize = 32
)

Functions

func New

func New(options Options) (crypto.EncryptDecrypter, error)

New returns a new instance of the crypto.EncryptDecrypter.

Types

type Options

type Options struct {
	KeyID           string
	Region          string
	AccessKeyID     string
	SecretAccessKey string

	Timeout time.Duration
}

Options defines all the parameters needed for encrypting and decrypting via AWS KMS.