/
doc.go
38 lines (38 loc) · 1.46 KB
/
doc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
// Package crypto implements cryptography for secrets.
//
// Under the hood, it leverages AWS KMS for master key management and key wrapping,
// and nacl/secretbox for encryption and authentication.
//
// Secret encryption
//
// For each `Encrypt` operation, a new 256 bits data key is requested from KMS.
// which returns both the key in plaintext and in encrypted form.
//
// This key is then fed to nacl/secretbox, along with a 192 bits random nonce,
// generated from go's default CSPRNG (see the crypto/rand package). secretbox
// uses XSalsa20 and Poly1305 to encrypt and authenticate messages.
//
// The secret ciphertext consists of the random nonce and the encrypted secret.
//
// The encrypted data key and the secret ciphertext are then base64-encoded
// and returned as a string, along with a versioning field.
//
// Secret decryption
//
// The encrypted data key and encrypted secret are extracted from the input
//
// A request is made to AWS KMS to decypt the data key. AWS returns the data
// key plaintext.
//
// The nonce and encrypted secret are extracted from the secret ciphertext,
// and fed to nacl/secretbox for authentication and decryption.
//
// Encoding format
//
// The encrypted secrets are encoded in the following format:
//
// "EJK1;abcdef...;foobar..."
// ^-- versionning field allowing algorithm changes in the future
// ^-- base64 encoded encrypted data key
// ^-- base64 encoded [random nonce, encrypted secret]
package crypto