encryption

Documentation

Index

• func DecryptMek(mek *Mek, password string, encryptor Encryptor) ([]byte, error)
• func IsMekAlreadyExistsError(err error) bool
• func IsMekNotFoundError(err error) bool
• func NewMekAlreadyExistsError(id string) error
• func NewMekNotFoundError() error
• func NewMekProvider(encryptor Encryptor, repo MekRepository) mekProvider
• func NewMekService(logger logging.Logger, repo MekRepository, encryptor Encryptor) *mekService
• type AESEncryptor
  • func NewAESEncryptor() *AESEncryptor
  • func (e *AESEncryptor) CompareHash(hashedValue, plainValue, salt []byte) bool
  • func (e *AESEncryptor) Decrypt(data []byte, key []byte) ([]byte, error)
  • func (e *AESEncryptor) DeriveKeyFromSecret(secret []byte, salt []byte) ([]byte, error)
  • func (e *AESEncryptor) Encrypt(data []byte, key []byte) ([]byte, error)
  • func (e *AESEncryptor) GenerateKey() ([]byte, error)
  • func (e *AESEncryptor) GenerateSalt() ([]byte, error)
  • func (e *AESEncryptor) Hash(data []byte) (hashedData, salt []byte, err error)
• type Encryptor
• type Mek
• type MekAlreadyExistsError
  • func (e *MekAlreadyExistsError) Error() string
• type MekNotFoundError
  • func (e *MekNotFoundError) Error() string
• type MekProvider
• type MekRepository
• type MekService
• type MekStore
• type SQLiteMekRepository
  • func NewSQLiteMekRepository(db *sql.DB) (*SQLiteMekRepository, error)
  • func (r *SQLiteMekRepository) Create(mek *Mek) error
  • func (r *SQLiteMekRepository) Delete() error
  • func (r *SQLiteMekRepository) Get() (*Mek, error)
  • func (r *SQLiteMekRepository) Update(mek *Mek) error

Functions

func DecryptMek

func DecryptMek(mek *Mek, password string, encryptor Encryptor) ([]byte, error)

DecryptMek decrypts the Master Encryption Key (MEK) using a password. It derives a key from the password and the MEK's salt, then decrypts the encrypted MEK value.

func IsMekAlreadyExistsError

func IsMekAlreadyExistsError(err error) bool

func IsMekNotFoundError

func IsMekNotFoundError(err error) bool

helper functions for error handling

func NewMekAlreadyExistsError

func NewMekAlreadyExistsError(id string) error

func NewMekNotFoundError

func NewMekNotFoundError() error

factory functions for mek-related errors

func NewMekProvider

func NewMekProvider(encryptor Encryptor, repo MekRepository) mekProvider

func NewMekService

func NewMekService(logger logging.Logger, repo MekRepository, encryptor Encryptor) *mekService

Types

type AESEncryptor

type AESEncryptor struct{}

AESEncryptor implements the Encryptor interface using AES-GCM

func NewAESEncryptor

func NewAESEncryptor() *AESEncryptor

NewAESEncryptor creates a new AESEncryptor instance

func (*AESEncryptor) CompareHash

func (e *AESEncryptor) CompareHash(hashedValue, plainValue, salt []byte) bool

CompareHash compares a hashed value with a plain value using the provided salt

func (*AESEncryptor) Decrypt

func (e *AESEncryptor) Decrypt(data []byte, key []byte) ([]byte, error)

Decrypt decrypts data using AES-GCM with the provided key

func (*AESEncryptor) DeriveKeyFromSecret

func (e *AESEncryptor) DeriveKeyFromSecret(secret []byte, salt []byte) ([]byte, error)

DeriveKeyFromSecret derives an encryption key from a secret and salt using PBKDF2

func (*AESEncryptor) Encrypt

func (e *AESEncryptor) Encrypt(data []byte, key []byte) ([]byte, error)

Encrypt encrypts data using AES-GCM with the provided key

func (*AESEncryptor) GenerateKey

func (e *AESEncryptor) GenerateKey() ([]byte, error)

GenerateKey generates a new random encryption key

func (*AESEncryptor) GenerateSalt

func (e *AESEncryptor) GenerateSalt() ([]byte, error)

GenerateSalt generates a new random salt

func (*AESEncryptor) Hash

func (e *AESEncryptor) Hash(data []byte) (hashedData, salt []byte, err error)

Hash hashes the given data using SHA-256 with a random salt

type Encryptor

type Encryptor interface {
	// Encrypt encrypts the given data using the provided key
	Encrypt(data []byte, key []byte) ([]byte, error)
	// Decrypt decrypts the given data using the provided key
	Decrypt(data []byte, key []byte) ([]byte, error)
	// GenerateKey generates a new encryption key
	GenerateKey() ([]byte, error)
	// GenerateSalt generates a new salt for key derivation
	GenerateSalt() ([]byte, error)
	// DeriveKeyFromSecret derives an encryption key from a secret and salt
	DeriveKeyFromSecret(secret []byte, salt []byte) ([]byte, error)
	// Hash hashes the given data using a secure hash function
	Hash(data []byte) (hashedData, salt []byte, err error)
	// CompareHash compares a hashed value with a plain value using the provided salt
	CompareHash(hashedValue, plainValue, salt []byte) bool
}

type Mek

type Mek struct {
	ID                     string    // Unique identifier for the MEK
	EncryptedEncryptionKey string    // MEK encrypted with key derived from a password (base 64 encoded)
	EncryptionKeySalt      string    // Salt used for deriving the encryption key (base 64 encoded)
	CreatedAt              time.Time // Timestamp when the MEK was created
	UpdatedAt              time.Time // Timestamp when the MEK was last updated
}

type MekAlreadyExistsError

type MekAlreadyExistsError struct {
	ID string
}

create an error type that indicates that a MEK already exists

func (*MekAlreadyExistsError) Error

func (e *MekAlreadyExistsError) Error() string

type MekNotFoundError

type MekNotFoundError struct {
}

create an error type that indicates that no MEK exists

func (*MekNotFoundError) Error

func (e *MekNotFoundError) Error() string

type MekProvider

type MekProvider interface {
	// UncoverMek decrypts the MEK using the provided password
	UncoverMek(password string) ([]byte, error)
}

type MekRepository

type MekRepository interface {
	Create(mek *Mek) error
	Get() (*Mek, error)
	Update(mek *Mek) error
	Delete() error
}

type MekService

type MekService interface {
	// CreateMek creates a new MEK and persists it
	CreateMek(password string) (*Mek, error)
	// GetMek retrieves the MEK from the repository
	GetMek() (*Mek, error)
	// ChangeMekPassword updates the existing MEK with a new password (requires old password to decrypt)
	ChangeMekPassword(oldPassword, newPassword string) (*Mek, error)
	// DeleteMek deletes the MEK from the database
	DeleteMek() error
}

type MekStore

type MekStore interface {
	// GetMek retrieves the MEK for the authenticated admin user
	GetMek() ([]byte, error)
	// SetMek sets the MEK for the authenticated admin user
	SetMek(mek []byte) error
	// ClearMek removes the MEK for the authenticated admin user
	ClearMek() error
}

MekStore provides access to MEKs for authenticated admin users The implementation assumes the user has already been authenticated and retrieves the MEK from secure storage (e.g., session, cookie)

type SQLiteMekRepository

type SQLiteMekRepository struct {
	// contains filtered or unexported fields
}

SQLiteMekRepository implements MekRepository using SQLite

func NewSQLiteMekRepository

func NewSQLiteMekRepository(db *sql.DB) (*SQLiteMekRepository, error)

NewSQLiteMekRepository creates a new SQLite-based MekRepository

func (*SQLiteMekRepository) Create

func (r *SQLiteMekRepository) Create(mek *Mek) error

Create adds a new MEK to the repository Since there can only be one MEK, this will fail if one already exists

func (*SQLiteMekRepository) Delete

func (r *SQLiteMekRepository) Delete() error

Delete removes the MEK from the repository

func (*SQLiteMekRepository) Get

func (r *SQLiteMekRepository) Get() (*Mek, error)

Get retrieves the single MEK from the repository Returns nil if no MEK exists (this is not an error)

func (*SQLiteMekRepository) Update

func (r *SQLiteMekRepository) Update(mek *Mek) error

Update modifies the existing MEK in the repository