-
Notifications
You must be signed in to change notification settings - Fork 0
/
crypter.go
62 lines (48 loc) · 1.96 KB
/
crypter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package yckms
import (
"bufio"
"context"
"io"
"github.com/minio/sio"
"github.com/wal-g/tracelog"
"github.com/wal-g/wal-g/internal/crypto"
"github.com/wal-g/wal-g/internal/ioextensions"
ycsdk "github.com/yandex-cloud/go-sdk"
)
type YcCrypter struct {
symmetricKey YcSymmetricKeyInterface
}
func (crypter *YcCrypter) Encrypt(writer io.Writer) (io.WriteCloser, error) {
if crypter.symmetricKey.GetKey() == nil {
err := crypter.symmetricKey.CreateKey()
tracelog.ErrorLogger.FatalfOnError("Can't generate symmetric key: %v", err)
}
bufferedWriter := bufio.NewWriter(writer)
_, err := bufferedWriter.Write(crypter.symmetricKey.GetEncryptedKey())
if err != nil {
tracelog.ErrorLogger.Printf("Can't write encryption key to buffer: %v", err)
return nil, err
}
encryptedWriter, err := sio.EncryptWriter(bufferedWriter,
sio.Config{Key: crypter.symmetricKey.GetKey(), CipherSuites: []byte{sio.AES_256_GCM}})
if err != nil {
tracelog.ErrorLogger.Printf("YC KMS can't create encrypted writer: %v", err)
return nil, err
}
return ioextensions.NewOnCloseFlusher(encryptedWriter, bufferedWriter), nil
}
func (crypter *YcCrypter) Decrypt(reader io.Reader) (io.Reader, error) {
err := crypter.symmetricKey.ReadEncryptedKey(reader)
tracelog.ErrorLogger.FatalfOnError("Can't read encryption key from archive file header: %v", err)
err = crypter.symmetricKey.Decrypt()
tracelog.ErrorLogger.FatalfOnError("Can't decrypt data encryption key from archive file header: %v", err)
return sio.DecryptReader(reader, sio.Config{Key: crypter.symmetricKey.GetKey(), CipherSuites: []byte{sio.AES_256_GCM}})
}
func YcCrypterFromKeyIDAndCredential(keyID string, saFilePath string) crypto.Crypter {
credentials := resolveCredentials(saFilePath)
sdk, err := ycsdk.Build(context.Background(), ycsdk.Config{
Credentials: credentials,
})
tracelog.ErrorLogger.FatalfOnError("Can't initialize yc sdk: %v", err)
return &YcCrypter{symmetricKey: YcSymmetricKeyFromKeyIDAndSdk(keyID, sdk)}
}