Documentation ¶
Overview ¶
Package encryptor implements various encyption methods for use with cryptic.
Everything in this package implements the EncryptDecryptor interface.
See the KMS implementation for an example of how encryptors can be chained together to create layered solutions.
Where suitable, implementors of the EncryptDecryptor interface should return the errors defined in this package.
Encryptors must support binary secrets.
Index ¶
Constants ¶
const ( Nop uint8 = iota AESCTR KMSWrapped Pbkdf2 AESGCM )
Used to identify different Encryptor types
Variables ¶
var ( // ErrWrongType indicates a EncryptedData struct was created with a // different Encryptor than what is being used to decrypt. ErrWrongType = errors.New("encryptor: wrong encryptor type") // ErrInvalidHmac indicates message authentication has failed. ErrInvalidHmac = errors.New("encryptor: invalid HMAC") // ErrKeyTooShort indicates the encryption key provided is too short to be // useful. ErrKeyTooShort = errors.New("encryptor: key provided is too short") // ErrHmacKeyTooShort indicates the HMAC key is too short to be useful. ErrHmacKeyTooShort = errors.New("encryptor: HMAC key is required") //ErrInvalidCiphertext indicates the ciphertext cannot be decrypted. ErrInvalidCiphertext = errors.New("encryptor: invalid ciphertext") // ErrMissingContext indicates required contextual data is missing. ErrMissingContext = errors.New("encryptor: missing required context data") )
Functions ¶
This section is empty.
Types ¶
type AESCTREncryptor ¶
type AESCTREncryptor struct {
// contains filtered or unexported fields
}
AESCTREncryptor provides AES encryption of secrets with SHA-256 used for message authentication.
func NewAES ¶
func NewAES(aesKey, hmacKey []byte) (*AESCTREncryptor, error)
NewAES returns an initialised Encryptor using AES in CTR (counter) mode and SHA-256 for message authentication.
func (*AESCTREncryptor) Decrypt ¶
func (e *AESCTREncryptor) Decrypt(data *EncryptedData) ([]byte, error)
Decrypt checks data has been created previously by AESCTREncryptor, validates the HMAC in constant time to prevent a timing side-channel attack (and detect any corruption of the ciphertext), and decrypts the cipher-text, returning the original plain-text.
func (*AESCTREncryptor) Encrypt ¶
func (e *AESCTREncryptor) Encrypt(secret []byte) (*EncryptedData, error)
Encrypt generates a unique IV for each encryption, and encrypts the plain-text secret with the configured AES key.
A HMAC is then generated using SHA256 with the configured HMAC key.
type AESGCMEncryptor ¶ added in v1.2.0
type AESGCMEncryptor struct {
// contains filtered or unexported fields
}
AESGCMEncryptor provides AES encryption of secrets using GCM (Galois Counter Mode) to ensure data integrity.
func NewAESGCM ¶ added in v1.2.0
func NewAESGCM(aesKey []byte) (*AESGCMEncryptor, error)
NewAESGCM returns an initalised Encryptor using AES with GCM (Galois Counter Mode) to ensure data integrity.
func (*AESGCMEncryptor) Decrypt ¶ added in v1.2.0
func (e *AESGCMEncryptor) Decrypt(data *EncryptedData) ([]byte, error)
Decrypt ensures data was encrypted with AESGCMEncryptor before decrypting the cipher-text (which also ensures data integrity) and returning the plain-text.
func (*AESGCMEncryptor) Encrypt ¶ added in v1.2.0
func (e *AESGCMEncryptor) Encrypt(plaintext []byte) (*EncryptedData, error)
Encrypt generates a unique nonce for each encryption, and encrypts the plain-text secret with the configured AES key.
type Decryptor ¶
type Decryptor interface {
Decrypt(data *EncryptedData) ([]byte, error)
}
Decryptor defines the Decrypt method, used to decrypt the given cipher-text.
type EncryptDecryptor ¶
EncryptDecryptor defines the methods used by our encryptor structs.
type EncryptedData ¶
type EncryptedData struct { Ciphertext []byte HMAC []byte Type uint8 Context map[string]interface{} }
EncryptedData holds the result of a call to Encrypt(), where Ciphertext is the encrypted input, HMAC is the Encryptor-designated hash (typically SHA512) of Ciphertext, and Context provides Encryptor-specific information for decryption.
Context should not hold any secret information, as the entire EncryptedData struct is stored in plain-text by the storage back-end.
func (EncryptedData) MarshalBinary ¶
func (e EncryptedData) MarshalBinary() ([]byte, error)
MarshalBinary returns the EncryptedData struct encoded into a slice of bytes using Gob.
func (*EncryptedData) UnmarshalBinary ¶
func (e *EncryptedData) UnmarshalBinary(data []byte) error
UnmarshalBinary returns an EncryptedData struct decoded from a slice of bytes using Gob.
type EncryptionProvider ¶
type EncryptionProvider func(key []byte) (EncryptDecryptor, error)
EncryptionProvider implementers should return an initalised Encryptor where key is the key material for initalisation.
type Encryptor ¶
type Encryptor interface {
Encrypt(secret []byte) (*EncryptedData, error)
}
Encryptor defines the Encrypt method, used to encrypt the given plain-text.
type KDF ¶ added in v1.1.0
type KDF struct { Provider EncryptionProvider SaltSize int Iterations int SourceKey []byte }
KDF implements PBKDF2, deriving a key using SHA-512 and passing it to Provider.
By default Provider is AES-512.
func NewKDF ¶ added in v1.1.0
NewKDF by default returns a AESCTR struct that has been wrapped with KDF, enabling PBKDF2 support.
type KMS ¶
type KMS struct { KeySize int64 Provider EncryptionProvider // contains filtered or unexported fields }
KMS is used to wrap the output of any other Encryptor using Amazon KMS, by default using AES-256.
func NewKMS ¶
NewKMS returns an initialised Encryptor using Amazon KMS to wrap the underlying Encryptor's keys used to encrypt secrets.
By default, KMS uses AESCTREncryptor with a 32 byte key (AES-256).
type NopEncryptor ¶
type NopEncryptor struct{}
NopEncryptor returns a EncryptedData struct that's not encrypted in any way for development purposes.
It does nothing! It should not be used for production, obviously.
func (NopEncryptor) Decrypt ¶
func (e NopEncryptor) Decrypt(data *EncryptedData) ([]byte, error)
Decrypt extracts the plain-text secret from data
func (NopEncryptor) Encrypt ¶
func (e NopEncryptor) Encrypt(secret []byte) (*EncryptedData, error)
Encrypt does nothing! It simply returns an initalised EncryptedData struct with NO ENCRYPTION.
Don't use it for anything other than tests. Seriously.