• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

entropy/H14-Feb-2020-

internal/xor/H16-Sep-2020-

structwrapping/H16-Sep-2020-

wrappers/H16-Sep-2020-

.gitignoreH A D16-Sep-202014

LICENSEH A D16-Sep-202015.5 KiB

MakefileH A D16-Sep-2020339

README.mdH A D16-Sep-20204.8 KiB

envelope.goH A D16-Sep-20201.6 KiB

envelope_test.goH A D16-Sep-2020896

github.com.hashicorp.go.kms.wrapping.types.pb.goH A D16-Sep-202018.9 KiB

github.com.hashicorp.go.kms.wrapping.types.protoH A D16-Sep-20202.4 KiB

go.modH A D16-Sep-20201.4 KiB

go.sumH A D16-Sep-202067.4 KiB

wrapper.goH A D16-Sep-20202 KiB

wrapper_testing.goH A D16-Sep-20203.3 KiB

README.md

1# Go-KMS-Wrapping - Go library for encrypting values through various KMS providers
2
3[![Godoc](https://godoc.org/github.com/hashicorp/go-kms-wrapping?status.svg)](https://godoc.org/github.com/hashicorp/go-kms-wrapping)
4
5*NOTE*: Currently no compatibility guarantees are provided for this library; we
6expect tags to remain in the `0.x.y` range. Function signatures, interfaces,
7etc. may change at any time.
8
9Go-KMS-Wrapping is a library that can be used to encrypt things through various
10KMS providers -- public clouds, Vault's Transit plugin, etc. It is similar in
11concept to various other cryptosystems (like NaCl) but focuses on using third
12party KMSes. This library is the underpinning of Vault's auto-unseal
13functionality, and should be ready to use for many other applications.
14
15For KMS providers that do not support encrypting arbitrarily large values, the
16library will generate an envelope data encryption key (DEK), encrypt the value
17with it using an authenticated cipher, and use the KMS to encrypt the DEK.
18
19The key being used by a given implementation can change; the library stores
20information about which key was actually used to encrypt a given value as part
21of the returned data, and this key will be used for decryption. By extension,
22this means that users should be careful not to delete keys in KMS systems
23simply because they're not configured to be used by this library _currently_,
24as they may have been used for past encryption operations.
25
26<!-- START doctoc generated TOC please keep comment here to allow auto update -->
27<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
28
29
30- [Features](#features)
31- [Installation](#installation)
32- [Overview](#overview)
33- [Usage](#usage)
34
35<!-- END doctoc generated TOC please keep comment here to allow auto update -->
36
37## Features
38
39  * Supports many KMSes:
40  * * AEAD using AES-GCM and a provided key
41  * * Alibaba Cloud KMS (uses envelopes)
42  * * AWS KMS (uses envelopes)
43  * * Azure KeyVault (uses envelopes)
44  * * GCP CKMS (uses envelopes)
45  * * Huawei Cloud KMS (uses envelopes)
46  * * OCI KMS (uses envelopes)
47  * * Tencent Cloud KMS (uses envelopes)
48  * * Vault Transit mount
49  * * Yandex.Cloud KMS (uses envelopes)
50  * Transparently supports multiple decryption targets, allowing for key rotation
51  * Supports Additional Authenticated Data (AAD) for all KMSes except Vault Transit.
52
53A
54[`multiwrapper`](https://github.com/hashicorp/go-kms-wrapping/tree/master/wrappers/multiwrapper)
55KMS is also included, capable of encrypting to a specified wrapper and
56decrypting using one of several wrappers switched on key ID. This can allow
57easy key rotation for KMSes that do not natively support it.
58
59The
60[`structwrapping`](https://github.com/hashicorp/go-kms-wrapping/tree/master/structwrapping)
61package allows for structs to have members encrypted and decrypted in a single
62pass via a single wrapper. This can be used for workflows such as database
63library callback functions to easily encrypt/decrypt data as it goes to/from
64storage.
65
66## Installation
67
68Import like any other library; supports go modules. It has not been tested with
69non-`go mod` vendoring tools.
70
71## Overview
72
73The library exports a `Wrapper` interface that is implemented by multiple
74providers. Each of these providers may have some functions specific to them,
75usually to pass configuration information. A normal workflow is to create the
76provider directly, pass it any needed configuration via the provider-specific
77methods, and then have the rest of your code use the `Wrapper` interface.
78
79Some of the functions make use of option structs that are currently empty. This
80is to allow options to be added later without breaking backwards compatibility.
81
82The best place to find the currently available set of configuration options
83supported by each provider is its code, but it can also be found in [Vault's
84seal configuration
85documentation](https://www.vaultproject.io/docs/configuration/seal/index.html).
86All environment variables noted there also work in this library, however,
87non-Vault-specific variants of the environment variables are also available for
88each provider. See the code/comments in each given provider for the currently
89allowed env vars.
90
91## Usage
92
93Following is an example usage of the AWS KMS provider.
94
95```go
96// Context used in this library is passed to various underlying provider
97// libraries; how it's used is dependent on the provider libraries
98ctx := context.Background()
99
100wrapper := awskms.NewWrapper(nil)
101_, err := wrapper.SetConfig(&map[string]string{
102    "kms_key_id": "1234abcd-12ab-34cd-56ef-1234567890ab"
103})
104if err != nil {
105    return err
106}
107blobInfo, err := wrapper.Encrypt(ctx, []byte{"foo"}, nil)
108if err != nil {
109    return err
110}
111
112//
113// Do some things...
114//
115
116plaintext, err := wrapper.Decrypt(ctx, blobInfo)
117if err != nil {
118    return err
119}
120if string(plaintext) != "foo" {
121    return errors.New("mismatch between input and output")
122}
123```
124