gcpkms

package

v0.0.4 Latest Latest Go to latest Published: Oct 11, 2019 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/amaizfinance/secreter

Links

Open Source Insights

Documentation ¶

Overview ¶

Package gcpkms encrypts the message using Google Cloud KMS.

Only the recipient can decrypt the message using the corresponding private key. While the recipient can verify the integrity of the message, it cannot verify the identity of the sender.

Sender anonymously encrypts the message using a randomly generated data encryption key(DEK). DEK is encrypted via GCP KMS.

Both symmetric and asymmetric methods can be applied to encrypting DEKs.

XChaCha20-Poly1305 is used for AEAD. Additional data (AD) for the AEAD is the keyName used for encrypting the DEK. Additional data is used as salt. Key and nonce for XChaCha20-Poly1305 are generated via HKDF.

Additional data is concatenated with the resulting ciphertext. Encrypted DEK(EDEK) is stored alongside the encrypted message and concatenated with the ciphertext.

DEK is generated every time the encryption is called. Thus, a new DEK will be generated for the same plaintext every time the encryption is called.

Resulting message structure:

[Header:1||Size(EDEK):2||EDEK||ciphertext]
EDEK - Encrypted data encryption key

Index ¶

Constants
func GetPublicKey(ctx context.Context, options Options) (*rsa.PublicKey, string, error)
func New(options Options) (crypto.EncryptDecrypter, error)
func ParsePublicKey(encoded string) (*rsa.PublicKey, error)
type Options

Constants ¶

View Source

const (
	// KeySize is the size, in bytes, of data encryption keys
	KeySize = 32
)

Variables ¶

This section is empty.

Functions ¶

func GetPublicKey ¶

func GetPublicKey(ctx context.Context, options Options) (*rsa.PublicKey, string, error)

GetPublicKey fetches and returns RSA public key from GCP KMS in both decoded and encoded forms.

func New ¶

func New(options Options) (crypto.EncryptDecrypter, error)

New returns a new instance of the crypto.EncryptDecrypter. If credentials is nil application default credentials will be used for authenticating.

func ParsePublicKey ¶

func ParsePublicKey(encoded string) (*rsa.PublicKey, error)

ParsePublicKey parses PEM formatted RSA public key

Types ¶

type Options ¶

type Options struct {
	ProjectID        string
	LocationID       string
	KeyRingID        string
	CryptoKeyID      string
	CryptoKeyVersion int

	Credentials []byte
	PublicKey   *rsa.PublicKey

	Timeout time.Duration
}

Options defines all the parameters needed for encrypting and decrypting via GCP KMS.

Source Files ¶

View all Source files

gcpkms.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL