package aead

import "github.com/google/tink/go/aead"

Package aead provides implementations of the AEAD primitive.

AEAD encryption assures the confidentiality and authenticity of the data. This primitive is CPA secure.

package main

import (
	"encoding/base64"
	"fmt"
	"log"

	"github.com/google/tink/go/aead"
	"github.com/google/tink/go/keyset"
)

func main() {
	kh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
	if err != nil {
		log.Fatal(err)
	}

	// TODO: save the keyset to a safe location. DO NOT hardcode it in source code.
	// Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault.
	// See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets.

	a, err := aead.New(kh)
	if err != nil {
		log.Fatal(err)
	}

	msg := []byte("this message needs to be encrypted")
	aad := []byte("this data needs to be authenticated, but not encrypted")
	ct, err := a.Encrypt(msg, aad)
	if err != nil {
		log.Fatal(err)
	}

	pt, err := a.Decrypt(ct, aad)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("Ciphertext: %s\n", base64.StdEncoding.EncodeToString(ct))
	fmt.Printf("Original  plaintext: %s\n", msg)
	fmt.Printf("Decrypted Plaintext: %s\n", pt)
}

Index ¶

• func AES128CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate
• func AES128GCMKeyTemplate() *tinkpb.KeyTemplate
• func AES256CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate
• func AES256GCMKeyTemplate() *tinkpb.KeyTemplate
• func AES256GCMNoPrefixKeyTemplate() *tinkpb.KeyTemplate
• func ChaCha20Poly1305KeyTemplate() *tinkpb.KeyTemplate
• func KMSEnvelopeAEADKeyTemplate(uri string, dekT *tinkpb.KeyTemplate) *tinkpb.KeyTemplate
• func New(h *keyset.Handle) (tink.AEAD, error)
• func NewWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.AEAD, error)
• func XChaCha20Poly1305KeyTemplate() *tinkpb.KeyTemplate
• type KMSEnvelopeAEAD
• func NewKMSEnvelopeAEAD(kt tinkpb.KeyTemplate, remote tink.AEAD) *KMSEnvelopeAEAD
• func NewKMSEnvelopeAEAD2(kt *tinkpb.KeyTemplate, remote tink.AEAD) *KMSEnvelopeAEAD
• func (a *KMSEnvelopeAEAD) Decrypt(ct, aad []byte) ([]byte, error)
• func (a *KMSEnvelopeAEAD) Encrypt(pt, aad []byte) ([]byte, error)

Examples ¶

• package

Functions ¶

func AES128CTRHMACSHA256KeyTemplate ¶

func AES128CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate

AES128CTRHMACSHA256KeyTemplate is a KeyTemplate that generates an AES-CTR-HMAC-AEAD key with the following parameters:

• AES key size: 16 bytes
• AES CTR IV size: 16 bytes
• HMAC key size: 32 bytes
• HMAC tag size: 16 bytes
• HMAC hash function: SHA256

func AES128GCMKeyTemplate ¶

func AES128GCMKeyTemplate() *tinkpb.KeyTemplate

AES128GCMKeyTemplate is a KeyTemplate that generates an AES-GCM key with the following parameters:

• Key size: 16 bytes
• Output prefix type: TINK

func AES256CTRHMACSHA256KeyTemplate ¶

func AES256CTRHMACSHA256KeyTemplate() *tinkpb.KeyTemplate

AES256CTRHMACSHA256KeyTemplate is a KeyTemplate that generates an AES-CTR-HMAC-AEAD key with the following parameters:

• AES key size: 32 bytes
• AES CTR IV size: 16 bytes
• HMAC key size: 32 bytes
• HMAC tag size: 32 bytes
• HMAC hash function: SHA256

func AES256GCMKeyTemplate ¶

func AES256GCMKeyTemplate() *tinkpb.KeyTemplate

AES256GCMKeyTemplate is a KeyTemplate that generates an AES-GCM key with the following parameters:

• Key size: 32 bytes
• Output prefix type: TINK

func AES256GCMNoPrefixKeyTemplate ¶

func AES256GCMNoPrefixKeyTemplate() *tinkpb.KeyTemplate

AES256GCMNoPrefixKeyTemplate is a KeyTemplate that generates an AES-GCM key with the following parameters:

• Key size: 32 bytes
• Output prefix type: RAW

func ChaCha20Poly1305KeyTemplate ¶

func ChaCha20Poly1305KeyTemplate() *tinkpb.KeyTemplate

ChaCha20Poly1305KeyTemplate is a KeyTemplate that generates a CHACHA20_POLY1305 key.

func KMSEnvelopeAEADKeyTemplate ¶

func KMSEnvelopeAEADKeyTemplate(uri string, dekT *tinkpb.KeyTemplate) *tinkpb.KeyTemplate

KMSEnvelopeAEADKeyTemplate is a KeyTemplate that generates a KMSEnvelopeAEAD key for a given KEK in remote KMS. Keys generated by this key template uses RAW output prefix to make them compatible with the remote KMS' encrypt/decrypt operations. Unlike other templates, when you generate new keys with this template, Tink does not generate new key material, but only creates a reference to the remote KEK.

func New ¶

func New(h *keyset.Handle) (tink.AEAD, error)

New returns an AEAD primitive from the given keyset handle.

func NewWithKeyManager ¶

func NewWithKeyManager(h *keyset.Handle, km registry.KeyManager) (tink.AEAD, error)

NewWithKeyManager returns an AEAD primitive from the given keyset handle and custom key manager.

Deprecated: Use New.

func XChaCha20Poly1305KeyTemplate ¶

func XChaCha20Poly1305KeyTemplate() *tinkpb.KeyTemplate

XChaCha20Poly1305KeyTemplate is a KeyTemplate that generates a XCHACHA20_POLY1305 key.

Types ¶

type KMSEnvelopeAEAD ¶

type KMSEnvelopeAEAD struct {
	// contains filtered or unexported fields
}

KMSEnvelopeAEAD represents an instance of Envelope AEAD.

func NewKMSEnvelopeAEAD ¶

func NewKMSEnvelopeAEAD(kt tinkpb.KeyTemplate, remote tink.AEAD) *KMSEnvelopeAEAD

NewKMSEnvelopeAEAD creates an new instance of KMSEnvelopeAEAD.

Deprecated: Use NewKMSEnvelopeAEAD2 which takes a pointer to a KeyTemplate proto rather than a value.

func NewKMSEnvelopeAEAD2 ¶

func NewKMSEnvelopeAEAD2(kt *tinkpb.KeyTemplate, remote tink.AEAD) *KMSEnvelopeAEAD

NewKMSEnvelopeAEAD2 creates an new instance of KMSEnvelopeAEAD.

func (*KMSEnvelopeAEAD) Decrypt ¶

func (a *KMSEnvelopeAEAD) Decrypt(ct, aad []byte) ([]byte, error)

Decrypt implements the tink.AEAD interface for decryption.

func (*KMSEnvelopeAEAD) Encrypt ¶

func (a *KMSEnvelopeAEAD) Encrypt(pt, aad []byte) ([]byte, error)

Encrypt implements the tink.AEAD interface for encryption.

Source Files ¶

aead.go aead_factory.go aead_key_templates.go aes_ctr_hmac_aead_key_manager.go aes_gcm_key_manager.go aes_gcm_siv_key_manager.go chacha20poly1305_key_manager.go kms_envelope_aead.go kms_envelope_aead_key_manager.go xchacha20poly1305_key_manager.go

Directories ¶