Documentation
¶
Overview ¶
Package gcpkms provides integration with the GCP Cloud KMS. Tink APIs work with GCP and AWS KMS.
Example ¶
package main
import (
"context"
"log"
"github.com/tink-crypto/tink-go-gcpkms/v2/integration/gcpkms"
"github.com/tink-crypto/tink-go/v2/aead"
"google.golang.org/api/option"
)
func main() {
const keyURI = "gcp-kms://......"
ctx := context.Background()
gcpclient, err := gcpkms.NewClientWithOptions(ctx, keyURI, option.WithCredentialsFile("/mysecurestorage/credentials.json"))
if err != nil {
log.Fatal(err)
}
kekAEAD, err := gcpclient.GetAEAD(keyURI)
if err != nil {
log.Fatal(err)
}
// Get the KMS envelope AEAD primitive.
dekTemplate := aead.AES128CTRHMACSHA256KeyTemplate()
primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD)
if err != nil {
log.Fatal(err)
}
// Use the primitive.
plaintext := []byte("message")
associatedData := []byte("example KMS envelope AEAD encryption")
ciphertext, err := primitive.Encrypt(plaintext, associatedData)
if err != nil {
log.Fatal(err)
}
_, err = primitive.Decrypt(ciphertext, associatedData)
if err != nil {
log.Fatal(err)
}
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewClientWithOptions ¶
func NewClientWithOptions(ctx context.Context, uriPrefix string, opts ...option.ClientOption) (registry.KMSClient, error)
NewClientWithOptions returns a new GCP KMS client with provided Google API options to handle keys with uriPrefix prefix. uriPrefix must have the following format: 'gcp-kms://[:path]'.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.