• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

entropy/H14-Feb-2020-140108

internal/xor/H14-Feb-2020-7051

wrappers/H14-Feb-2020-2,7142,025

.gitignoreH A D14-Feb-202014 32

LICENSEH A D14-Feb-202015.5 KiB364265

MakefileH A D14-Feb-2020265 105

README.mdH A D14-Feb-20204 KiB10884

envelope.goH A D14-Feb-20202.2 KiB7755

envelope_test.goH A D14-Feb-2020896 4637

go.modH A D14-Feb-2020934 2421

go.sumH A D14-Feb-202028 KiB290289

types.pb.goH A D14-Feb-20208.3 KiB232175

types.protoH A D14-Feb-20201.6 KiB5340

wrapper.goH A D14-Feb-20201.8 KiB5229

wrapper_testing.goH A D14-Feb-20202.2 KiB10368

README.md

1# Go-KMS-Wrapping - Go library for encrypting values through various KMS providers
2
3[![Godoc](https://godoc.org/github.com/hashicorp/go-kms-wrapping?status.svg)](https://godoc.org/github.com/hashicorp/go-kms-wrapping)
4
5*NOTE*: Currently no compatibility guarantees are provided for this library; we
6expect tags to remain in the `0.x.y` range. Function signatures, interfaces,
7etc. may change at any time.
8
9Go-KMS-Wrapping is a library that can be used to encrypt things through various
10KMS providers -- public clouds, Vault's Transit plugin, etc. It is similar in
11concept to various other cryptosystems (like NaCl) but focuses on using third
12party KMSes. This library is the underpinning of Vault's auto-unseal
13functionality, and should be ready to use for many other applications.
14
15For KMS providers that do not support encrypting arbitrarily large values, the
16library will generate an envelope data encryption key (DEK), encrypt the value
17with it using an authenticated cipher, and use the KMS to encrypt the DEK.
18
19The key being used by a given implementation can change; the library stores
20information about which key was actually used to encrypt a given value as part
21of the returned data, and this key will be used for decryption. By extension,
22this means that users should be careful not to delete keys in KMS systems
23simply because they're not configured to be used by this library _currently_,
24as they may have been used for past encryption operations.
25
26<!-- START doctoc generated TOC please keep comment here to allow auto update -->
27<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
28
29
30- [Features](#features)
31- [Installation](#installation)
32- [Overview](#overview)
33- [Usage](#usage)
34
35<!-- END doctoc generated TOC please keep comment here to allow auto update -->
36
37## Features
38
39  * Supports many KMSes:
40  * * AEAD using AES-GCM and a provided key
41  * * Alibaba Cloud KMS (uses envelopes)
42  * * AWS KMS (uses envelopes)
43  * * GCP CKMS (uses envelopes)
44  * * Azure KeyVault (uses envelopes)
45  * * OCI KMS (uses envelopes)
46  * * Vault Transit mount
47  * Transparently supports multiple decryption targets, allowing for key rotation
48  * Supports Additional Authenticated Data (AAD) for all KMSes except Vault Transit.
49
50## Installation
51
52Import like any other library; supports go modules. It has not been tested with
53non-`go mod` vendoring tools.
54
55## Overview
56
57The library exports a `Wrapper` interface that is implemented by multiple
58providers. Each of these providers may have some functions specific to them,
59usually to pass configuration information. A normal workflow is to create the
60provider directly, pass it any needed configuration via the provider-specific
61methods, and then have the rest of your code use the `Wrapper` interface.
62
63Some of the functions make use of option structs that are currently empty. This
64is to allow options to be added later without breaking backwards compatibility.
65
66The best place to find the currently available set of configuration options
67supported by each provider is its code, but it can also be found in [Vault's
68seal configuration
69documentation](https://www.vaultproject.io/docs/configuration/seal/index.html).
70All environment variables noted there also work in this library, however,
71non-Vault-specific variants of the environment variables are also available for
72each provider. See the code/comments in each given provider for the currently
73allowed env vars.
74
75## Usage
76
77Following is an example usage of the AWS KMS provider.
78
79```go
80// Context used in this library is passed to various underlying provider
81// libraries; how it's used is dependent on the provider libraries
82ctx := context.Background()
83
84wrapper := awskms.NewWrapper(nil)
85_, err := kms.SetConfig(&map[string]string{
86    "kms_key_id": "1234abcd-12ab-34cd-56ef-1234567890ab"
87})
88if err != nil {
89    return err
90}
91blobInfo, err := wrapper.Encrypt(ctx, []byte{"foo"}, nil)
92if err != nil {
93    return err
94}
95
96//
97// Do some things...
98//
99
100plaintext, err := wrapper.Decrypt(ctx, blobInfo)
101if err != nil {
102    return err
103}
104if string(plaintext) != "foo" {
105    return errors.New("mismatch between input and output")
106}
107```
108