security

README

🔏 Encrypto - encryption helpers.

AES / GCM

Standard library implementation of AES at 256bit w/ Galois Counter Mode (GCM) data authentication.

One of the most popular authenticated encryption schemes today is AES-GCM due to its impressive speed.

Paper: https://eprint.iacr.org/2015/102.pdf

CloudKMS

Makes it easy to interact with GCP's CloudKMS service.

Assumes you have the "GOOGLE_APPLICATION_CREDENTIALS" environment variable setup in your environment with access to the Cloud KMS service.

Authentication documentation: https://cloud.google.com/docs/authentication/getting-started Go client library: https://cloud.google.com/kms/docs/reference/libraries#client-libraries-install-go

Remember to create a KeyRing and CryptoKey. Documentation: https://cloud.google.com/kms/docs/creating-keys

CloudKMS pricing: https://cloud.google.com/kms/pricing

Various helpers

• Random string generator
• Token generator
• HMAC512 signing
• SHA256 hashing

Documentation

Overview

Copyright (c) 2019 Leonardo Faoro. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

Index

• func DefaultServer(hostPort string, router *mux.Router) *http.Server
• func DefaultTLSConfig() *tls.Config
• func Hash(data []byte) string
• func Hmac512(key string, data io.Reader) (b64 string, err error)
• func NewEncryptionKey() *[32]byte
• func NewToken(len int, isTest bool) string
• func RandomBytes(n int) []byte
• func RandomString(s int) string
• type Cryptor

Functions

func DefaultServer

func DefaultServer(hostPort string, router *mux.Router) *http.Server

DefaultServer returns a http.Server with TLS security defaults and sane timeouts.

func DefaultTLSConfig

func DefaultTLSConfig() *tls.Config

DefaultTLSConfig returns a tls.Config with enhanced security.

The TLS security configuration respects PCI DSS requirements.

func Hash

func Hash(data []byte) string

Hash is a convenience function for sha256 hashing that returns base16 encoded data.

func Hmac512

func Hmac512(key string, data io.Reader) (b64 string, err error)

Hmac512 ciphers the data extracted from the Reader and returns a b64 encoded string of a SHA512 hash.

func NewEncryptionKey

func NewEncryptionKey() *[32]byte

NewEncryptionKey generates a random 256-bit key for Encrypt() and Decrypt(). It panics if the source of randomness fails.

func NewToken

func NewToken(len int, isTest bool) string

func RandomBytes

func RandomBytes(n int) []byte

RandomBytes returns securely generated random bytes. It will return an error if the system's secure random number generator fails to function correctly, in which case the caller should not continue.

In the rare case you get an error there's something seriously wrong with your operating system.

func RandomString

func RandomString(s int) string

RandomString returns a URL-safe, base64 encoded securely generated random string.

It will return an error if the system's secure random number generator fails to function correctly, in which case the caller should not continue.

Types

type Cryptor

type Cryptor interface {
	Encrypt(plainText []byte) (cipherText []byte, err error)
	Decrypt(cipherText []byte) (plainText []byte, err error)
}

Cryptor defines the methods for encryption and decryption of data.