package envelope

import "k8s.io/apiserver/pkg/storage/value/encrypt/envelope"

Package envelope transforms values for storage at rest using a Envelope provider

Package envelope transforms values for storage at rest using a Envelope provider

Index ¶

• func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) (value.Transformer, error)) value.Transformer
• type Service
• func NewGRPCService(ctx context.Context, endpoint string, callTimeout time.Duration) (Service, error)

Functions ¶

func NewEnvelopeTransformer ¶

func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) (value.Transformer, error)) value.Transformer

NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to the data items they encrypt. A cache (of size cacheSize) is maintained to store the most recently used decrypted DEKs in memory.

Types ¶

type Service ¶

type Service interface {
	// Decrypt a given bytearray to obtain the original data as bytes.
	Decrypt(data []byte) ([]byte, error)
	// Encrypt bytes to a ciphertext.
	Encrypt(data []byte) ([]byte, error)
}

Service allows encrypting and decrypting data using an external Key Management Service.

func NewGRPCService ¶

func NewGRPCService(ctx context.Context, endpoint string, callTimeout time.Duration) (Service, error)

NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.

Source Files ¶

envelope.go grpc_service.go

Directories ¶