package kmsv2

import "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"

Package kmsv2 transforms values for storage at rest using a Envelope v2 provider

Package kmsv2 transforms values for storage at rest using a Envelope provider

Index ¶

• Constants
• func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) value.Transformer) value.Transformer
• type DecryptRequest
• type EncryptResponse
• type Service
• func NewGRPCService(ctx context.Context, endpoint string, callTimeout time.Duration) (Service, error)
• type StatusResponse

Constants ¶

const (
	// KMSAPIVersion is the version of the KMS API.
	KMSAPIVersion = "v2alpha1"
)

Functions ¶

func NewEnvelopeTransformer ¶

func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) value.Transformer) value.Transformer

NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to the data items they encrypt. A cache (of size cacheSize) is maintained to store the most recently used decrypted DEKs in memory.

Types ¶

type DecryptRequest ¶

type DecryptRequest struct {
	Ciphertext  []byte
	KeyID       string
	Annotations map[string][]byte
}

DecryptRequest is the request to the Envelope service when decrypting data.

type EncryptResponse ¶

type EncryptResponse struct {
	Ciphertext  []byte
	KeyID       string
	Annotations map[string][]byte
}

EncryptResponse is the response from the Envelope service when encrypting data.

type Service ¶

type Service interface {
	// Decrypt a given bytearray to obtain the original data as bytes.
	Decrypt(ctx context.Context, uid string, req *DecryptRequest) ([]byte, error)
	// Encrypt bytes to a ciphertext.
	Encrypt(ctx context.Context, uid string, data []byte) (*EncryptResponse, error)
	// Status returns the status of the KMS.
	Status(ctx context.Context) (*StatusResponse, error)
}

Service allows encrypting and decrypting data using an external Key Management Service.

func NewGRPCService ¶

func NewGRPCService(ctx context.Context, endpoint string, callTimeout time.Duration) (Service, error)

NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.

type StatusResponse ¶

type StatusResponse struct {
	Version string
	Healthz string
	KeyID   string
}

StatusResponse is the response from the Envelope service when getting the status of the service.

Source Files ¶

envelope.go grpc_service.go

Directories ¶