Back to

Package kms

Latest Go to latest
Published: Jun 24, 2020 | License: Apache-2.0 | Module:


Package kms implements a Keycrypt using AWS's KMS service and S3. Secrets are stored using the AWS-provided s3crypto package, which uses a KMS data key to perform client-side encryption and decryption of keys.

For each key stored, s3crypto retrieves a data encryption key which is derived from a master key stored securely in KMS's HSMs. KMS returns both an encrypted and a plaintext version of the data encryption key. The key is subsequently used to encrypt the keybundle and is then thrown away. The encrypted version of the key is stored together with the bundle.

Access to Amazon's KMS is controlled by IAM security policies.

When a bundle is retrieved, s3crypto asks KMS to decrypt the key that is stored with the bundle, which in turn is used to decrypt the bundle contents.


Package Files


var CredentialsChainVerboseErrors = false

CredentialsChainVerboseErrors is used to set aws.Config.CredentialsChainVerboseErrors when creating a kms session.

var DefaultRegion = "us-west-2"

DefaultRegion is used to set the the AWS region for looking up KMS keys.

type Crypt

type Crypt struct {
	// contains filtered or unexported fields

Crypt implements a Keycrypt using Amazon's KMS and S3 services.

func New

func New(sess *session.Session, id string) *Crypt

Create a new Keycrypt instance which uses Amazon's KMS to store key material securely.

func (*Crypt) Lookup

func (c *Crypt) Lookup(name string) keycrypt.Secret
Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier