Package: s3crypto
Constants
-
const DefaultInstructionKeySuffix = readonly
DefaultInstructionKeySuffix is appended to the end of the instruction file key when grabbing or saving to S3
-
Value:
".instruction" -
const AESGCMNoPadding = readonly
AESGCMNoPadding is the constant value that is used to specify the cek algorithm consiting of AES GCM with no padding.
-
Value:
"AES/GCM/NoPadding" -
const AESCBC = readonly
AESCBC is the string constant that signifies the AES CBC algorithm cipher.
-
Value:
"AES/CBC" -
const KMSWrap = readonly
KMSWrap is a constant used during decryption to build a KMS key handler.
-
Value:
"kms" -
const DefaultMinFileSize = readonly
DefaultMinFileSize is used to check whether we want to write to a temp file or store the data in memory.
-
Value:
1024 * 512 * 5 -
const KMSContextWrap = readonly
KMSContextWrap is a constant used during decryption to build a kms+context key handler
-
Value:
"kms+context"
Variables
-
var NoPadder = writable
NoPadder does not pad anything
-
Value:
Padder(noPadder{}) -
var AESCBCPadder = writable
AESCBCPadder is used to pad AES encrypted and decrypted data. Although it uses the pkcs5Padder, it isn't following the RFC for PKCS5. The only reason why it is called pkcs5Padder is due to the Name returning PKCS5Padding.
-
Value:
Padder(aescbcPadding) -
var _ awsFixture = writable
-
Value:
(*kmsContextKeyHandler)(nil)
Type Summary collapse
-
CipherData
struct
CipherData is used for content encryption.
-
CryptoReadCloser
struct
CryptoReadCloser handles closing of the body and allowing reads from the decrypted content.
-
CryptoRegistry
struct
CryptoRegistry is a collection of registries for configuring a decryption client with different key wrapping algorithms, content encryption algorithms, and padders.
-
DecryptionClient
struct
DecryptionClient is an S3 crypto client.
-
DecryptionClientOptions
struct
DecryptionClientOptions is the configuration options for DecryptionClientV2.
-
DecryptionClientV2
struct
DecryptionClientV2 is an S3 crypto client.
-
EncryptionClient
struct
EncryptionClient is an S3 crypto client.
-
EncryptionClientOptions
struct
EncryptionClientOptions is the configuration options for EncryptionClientV2.
-
EncryptionClientV2
struct
EncryptionClientV2 is an S3 crypto client.
-
Envelope
struct
Envelope encryption starts off by generating a random symmetric key using AES GCM.
-
HeaderV2LoadStrategy
struct
Load from a given object's header.
-
HeaderV2SaveStrategy
struct
Save will save the envelope to the request's header.
-
MaterialDescription
struct
Clone returns a copy of the MaterialDescription.
-
S3LoadStrategy
struct
S3LoadStrategy will load the instruction file from s3.
-
S3SaveStrategy
struct
S3SaveStrategy will save the metadata to a separate instruction file in S3.
Interface Summary collapse
-
Cipher
interface
Cipher interface allows for either encryption and decryption of an object.
-
CipherDataDecrypter
interface
CipherDataDecrypter is a handler to decrypt keys from the envelope.
-
CipherDataDecrypterWithContext
interface
CipherDataDecrypterWithContext is a handler to decrypt keys from the envelope with request context.
-
CipherDataGenerator
interface
CipherDataGenerator handles generating proper key and IVs of proper size for the content cipher.
-
CipherDataGeneratorWithCEKAlg
interface
CipherDataGeneratorWithCEKAlg handles generating proper key and IVs of proper size for the content cipher.
-
CipherDataGeneratorWithContext
interface
CipherDataGeneratorWithContext handles generating proper key and IVs of proper size for the content cipher.
-
ContentCipher
interface
ContentCipher deals with encrypting and decrypting content.
-
ContentCipherBuilder
interface
ContentCipherBuilder is a builder interface that builds ciphers for each request.
-
ContentCipherBuilderWithContext
interface
ContentCipherBuilderWithContext is a builder interface that builds ciphers for each request.
-
Decrypter
interface
Decrypter interface with only the decrypt method.
-
Encrypter
interface
Encrypter interface with only the encrypt method.
-
LoadStrategy
interface
LoadStrategy …
-
Padder
interface
Padder handles padding of crypto data.
-
SaveStrategy
interface
SaveStrategy is how the data's metadata wants to be saved.
Function Summary collapse
-
func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder
AESCBCContentCipherBuilder returns a new encryption only AES/CBC mode structure using the provided padder.
-
func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder
AESGCMContentCipherBuilder returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.
-
func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder
AESGCMContentCipherBuilderV2 returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.
-
func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient
NewDecryptionClient instantiates a new S3 crypto client.
-
func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient
NewEncryptionClient instantiates a new S3 crypto client.
-
func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg
NewKMSContextKeyGenerator builds a new kms+context key provider using the customer key ID and material description.
-
func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator
NewKMSKeyGenerator builds a new KMS key provider using the customer key ID and material description.
-
func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator
NewKMSKeyGeneratorWithMatDesc builds a new KMS key provider using the customer key ID and material description.
-
func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry
NewKMSWrapEntry builds returns a new KMS key provider and its decrypt handler.
-
func NewPKCS7Padder(blockSize int) Padder
NewPKCS7Padder follows the RFC 2315: www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks.
-
func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error
RegisterAESCBCContentCipher registers the AES/CBC cipher and padder with the provided CryptoRegistry.
-
func RegisterAESGCMContentCipher(registry *CryptoRegistry) error
RegisterAESGCMContentCipher registers the AES/GCM content cipher algorithm with the provided CryptoRegistry.
-
func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSContextWrapWithAnyCMK registers the kms+context wrapping algorithm to the given WrapRegistry.
-
func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSContextWrapWithCMK registers the kms+context wrapping algorithm to the given WrapRegistry.
-
func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSWrapWithAnyCMK registers the
kms
wrapping algorithm to the given WrapRegistry. -
func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSWrapWithCMK registers the
kms
wrapping algorithm to the given WrapRegistry.
Type Details
DecryptionClientOptions struct
DecryptionClientOptions is the configuration options for DecryptionClientV2.
EncryptionClientOptions struct
EncryptionClientOptions is the configuration options for EncryptionClientV2
Function Details
func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder
AESCBCContentCipherBuilder returns a new encryption only AES/CBC mode structure using the provided padder. The provided cipher data generator will be used to provide keys for content encryption.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
20 21 22 |
// File 'service/s3/s3crypto/aes_cbc_content_cipher.go', line 20
|
func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder
AESGCMContentCipherBuilder returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.
Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
22 23 24 |
// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 22
|
func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder
AESGCMContentCipherBuilderV2 returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption. This type is compatible with the V2 encryption client.
Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.
32 33 34 |
// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 32
|
func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient
NewDecryptionClient instantiates a new S3 crypto client
Example:
sess := session.Must(session.NewSession())
svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient{
// Custom client options here
}))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
// File 'service/s3/s3crypto/decryption_client.go', line 51
|
func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient
NewEncryptionClient instantiates a new S3 crypto client
Example:
cmkID := "arn:aws:kms:region:000000000000:key/00000000-0000-0000-0000-000000000000"
sess := session.Must(session.NewSession())
handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID)
svc := s3crypto.NewEncryptionClient(sess, s3crypto.AESGCMContentCipherBuilder(handler))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
// File 'service/s3/s3crypto/encryption_client.go', line 59
|
func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg
NewKMSContextKeyGenerator builds a new kms+context key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession())
cmkID := "KMS Key ARN"
var matdesc s3crypto.MaterialDescription
handler := s3crypto.NewKMSContextKeyGenerator(kms.New(sess), cmkID, matdesc)
28 29 30 |
// File 'service/s3/s3crypto/kms_context_key_handler.go', line 28
|
func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator
NewKMSKeyGenerator builds a new KMS key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID)
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
36 37 38 |
// File 'service/s3/s3crypto/kms_key_handler.go', line 36
|
func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator
NewKMSKeyGeneratorWithMatDesc builds a new KMS key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGeneratorWithMatDesc(kms.New(sess), cmkID, matdesc)
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
70 71 72 |
// File 'service/s3/s3crypto/kms_key_handler.go', line 70
|
func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry
NewKMSWrapEntry builds returns a new KMS key provider and its decrypt handler.
Example:
sess := session.Must(session.NewSession())
customKMSClient := kms.New(sess)
decryptHandler := s3crypto.NewKMSWrapEntry(customKMSClient)
svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient) {
svc.WrapRegistry[s3crypto.KMSWrap] = decryptHandler
}))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
87 88 89 90 |
// File 'service/s3/s3crypto/kms_key_handler.go', line 87
|
func NewPKCS7Padder(blockSize int) Padder
NewPKCS7Padder follows the RFC 2315: www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks. For the most secure data, use an authenticated crypto algorithm.
24 25 26 |
// File 'service/s3/s3crypto/pkcs7_padder.go', line 24
|
func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error
RegisterAESCBCContentCipher registers the AES/CBC cipher and padder with the provided CryptoRegistry.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESCBCContentCipher(cr, s3crypto.AESCBCPadder); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
// File 'service/s3/s3crypto/aes_cbc_content_cipher.go', line 34
|
func RegisterAESGCMContentCipher(registry *CryptoRegistry) error
RegisterAESGCMContentCipher registers the AES/GCM content cipher algorithm with the provided CryptoRegistry.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESGCMContentCipher(cr); err != nil {
panic(err) // handle error
}
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 44
|
func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSContextWrapWithAnyCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS decrypt without providing a CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
panic(err) // handle error
}
58 59 60 61 62 63 |
// File 'service/s3/s3crypto/kms_context_key_handler.go', line 58
|
func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSContextWrapWithCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to only call KMS Decrypt using the provided CMK.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := RegisterKMSContextWrapWithCMK(); err != nil {
panic(err) // handle error
}
41 42 43 44 45 46 |
// File 'service/s3/s3crypto/kms_context_key_handler.go', line 41
|
func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSWrapWithAnyCMK registers the kms
wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt without providing a CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
123 124 125 126 127 128 |
// File 'service/s3/s3crypto/kms_key_handler.go', line 123
|
func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSWrapWithCMK registers the kms
wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt with the provided CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithCMK(cr, kms.New(sess), "cmkId"); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
104 105 106 107 108 109 |
// File 'service/s3/s3crypto/kms_key_handler.go', line 104
|