Documentation

Overview

    Package kms implements a Keycrypt using AWS's KMS service and S3. Secrets are stored using the AWS-provided s3crypto package, which uses a KMS data key to perform client-side encryption and decryption of keys.

    For each key stored, s3crypto retrieves a data encryption key which is derived from a master key stored securely in KMS's HSMs. KMS returns both an encrypted and a plaintext version of the data encryption key. The key is subsequently used to encrypt the keybundle and is then thrown away. The encrypted version of the key is stored together with the bundle.

    Access to Amazon's KMS is controlled by IAM security policies.

    When a bundle is retrieved, s3crypto asks KMS to decrypt the key that is stored with the bundle, which in turn is used to decrypt the bundle contents.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var CredentialsChainVerboseErrors = false

      CredentialsChainVerboseErrors is used to set aws.Config.CredentialsChainVerboseErrors when creating a kms session.

      View Source
      var DefaultRegion = "us-west-2"

        DefaultRegion is used to set the the AWS region for looking up KMS keys.

        Functions

        This section is empty.

        Types

        type Crypt

        type Crypt struct {
        	// contains filtered or unexported fields
        }

          Crypt implements a Keycrypt using Amazon's KMS and S3 services.

          func New

          func New(sess *session.Session, id string) *Crypt

            Create a new Keycrypt instance which uses Amazon's KMS to store key material securely.

            func (*Crypt) Lookup

            func (c *Crypt) Lookup(name string) keycrypt.Secret

            Source Files