Documentation
¶
Index ¶
- Variables
- func AddRecoverySlot(s store.ObjectStore, masterKey []byte) (mnemonic string, err error)
- func ChangePasswordSlot(s store.ObjectStore, masterKey []byte, newPassword string) error
- func DeriveEncryptionKey(masterKey []byte) ([]byte, error)
- func HasKeySlots(s store.ObjectStore) bool
- func SlotTypes(slots []KeySlot) string
- func WriteKeySlot(s store.ObjectStore, slot KeySlot) error
- type Chain
- type Credential
- type KDFParams
- type KeySlot
Constants ¶
This section is empty.
Variables ¶
var ErrCannotWrap = fmt.Errorf("credential does not support wrapping")
ErrCannotWrap indicates a Credential does not support wrapping.
Functions ¶
func AddRecoverySlot ¶
func AddRecoverySlot(s store.ObjectStore, masterKey []byte) (mnemonic string, err error)
AddRecoverySlot generates a recovery key, wraps the given master key with it, stores the recovery slot, and returns the BIP39 24-word mnemonic.
func ChangePasswordSlot ¶
func ChangePasswordSlot(s store.ObjectStore, masterKey []byte, newPassword string) error
ChangePasswordSlot replaces (or creates) the password key slot for the repository. masterKey is the unwrapped master key; newPassword is the new password to wrap it with. The old password slot (keys/password-default) is overwritten.
func DeriveEncryptionKey ¶
DeriveEncryptionKey derives the AES-256 encryption key from a master key.
func HasKeySlots ¶
func HasKeySlots(s store.ObjectStore) bool
HasKeySlots reports whether the store contains any encryption key slots.
func WriteKeySlot ¶
func WriteKeySlot(s store.ObjectStore, slot KeySlot) error
Types ¶
type Chain ¶
type Chain []Credential
Chain is an ordered collection of Credentials.
type Credential ¶
type Credential interface {
// Resolve attempts to derive the master key from the given key slots.
// Returns the master key if successful, or an error otherwise.
Resolve(ctx context.Context, slots []KeySlot) ([]byte, error)
// Wrap generates a new KeySlot wrapping the given master key.
// Returns the created KeySlot, or an error if the credential cannot wrap.
Wrap(ctx context.Context, masterKey []byte) (KeySlot, error)
}
Credential attempts to resolve or wrap the master key for the repository.
func WithKMSARN ¶
func WithKMSARN(arn string) Credential
WithKMSARN returns a credential using an AWS KMS key ARN, initializing the client on demand.
func WithKMSClient ¶
func WithKMSClient(client crypto.KMSClient) Credential
WithKMSClient returns a credential using an explicit AWS KMS client.
func WithPassword ¶
func WithPassword(password string) Credential
WithPassword returns a credential using a password.
func WithPlatformKey ¶
func WithPlatformKey(key []byte) Credential
WithPlatformKey returns a credential using a raw platform key.
func WithPrompt ¶
func WithPrompt(resolve, wrap func() (string, error)) Credential
WithPrompt returns a credential that prompts for a password interactively. The resolve function is used when opening an existing repository (prompts once). The wrap function is used when creating new key slots (should prompt with confirmation).
func WithRecoveryKey ¶
func WithRecoveryKey(mnemonic string) Credential
WithRecoveryKey returns a credential using a BIP39 recovery mnemonic.
type KDFParams ¶
type KDFParams struct {
Algorithm string `json:"algorithm"`
Salt string `json:"salt"` // base64-encoded
Time uint32 `json:"time"`
Memory uint32 `json:"memory"`
Threads uint8 `json:"threads"`
}
KDFParams holds the parameters for password-based key derivation.
type KeySlot ¶
type KeySlot struct {
SlotType string `json:"slot_type"`
WrappedKey string `json:"wrapped_key"`
Label string `json:"label"`
KDFParams *KDFParams `json:"kdf_params,omitempty"`
}
KeySlot is the JSON representation of an encryption key slot stored in B2.
func CreatePasswordSlot ¶
func CreatePlatformSlot ¶
func CreateRecoverySlot ¶
func LoadKeySlots ¶
func LoadKeySlots(s store.ObjectStore) ([]KeySlot, error)
LoadKeySlots reads all key slot objects from the store.
Source Files