Documentation
¶
Overview ¶
Package kmslocal provides local key management for MongoDB CSFLE. The master key must be exactly 96 bytes as required by MongoDB CSFLE.
Example:
p, err := kmslocal.New(kmslocal.WithMasterKeyFile("/path/to/key"))
if err != nil {
log.Fatal(err)
}
defer p.Clear()
Index ¶
Constants ¶
const MasterKey = "key"
MasterKey is the credential field name for local master key
const ProviderName = "local"
ProviderName is the identifier for local KMS provider
const RequiredMasterKeyLength = 96
RequiredMasterKeyLength is the required length in bytes for local KMS master keys. MongoDB Client-Side Field Level Encryption (CSFLE) requires exactly 96 bytes for AES-256.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Local ¶
type Local struct {
// contains filtered or unexported fields
}
Local represents a local key management provider configuration. It implements the kms.Provider interface and optionally the kms.TLSConfig interface. Unlike cloud KMS providers, it does not implement kms.MasterKey as the master key is stored locally and used directly for encryption operations. Master key data is stored securely using the credentials package.
func New ¶
New creates a new local key management provider with key validation.
The local provider requires at least one of WithMasterKey or WithMasterKeyFile options to be provided to set the master key. The master key must be exactly 96 bytes long as required by MongoDB Client-Side Field Level Encryption (CSFLE).
Parameters:
- opts: Configuration options
Returns:
- *Local: Local KMS provider instance
- error: Error if master key is missing or invalid length
Example:
// Using direct master key
local, err := kmslocal.New(
kmslocal.WithMasterKey("my-96-byte-master-key-data-here-exactly-96-bytes-long-for-encryption-purposes"))
if err != nil {
log.Fatal(err)
}
// Using master key from file
local, err := kmslocal.New(
kmslocal.WithMasterKeyFile("/path/to/masterkey.bin"))
if err != nil {
log.Fatal(err)
}
func (*Local) Clear ¶
func (l *Local) Clear()
Clear securely clears all stored master key data and sensitive information. This method should be called when the Local KMS provider is no longer needed to ensure sensitive key material doesn't remain in memory.
func (*Local) Credentials ¶
func (l *Local) Credentials() kms.Credentials
Credentials returns the local master key as credentials. This implements the kms.Provider interface. For local KMS, the "credentials" contain the actual master key data.
Note: This method exposes sensitive key material - use with caution. The key has been validated during New() for proper length.
func (*Local) MasterKey ¶
MasterKey returns the local master key configuration. This implements the simplified kms.Provider interface.
type LocalCredentials ¶
type LocalCredentials struct {
MasterKey *strings.SecureString
}
LocalCredentials provides secure storage for local KMS credentials.
func NewLocalCredentials ¶
func NewLocalCredentials(masterKey []byte) *LocalCredentials
NewLocalCredentials creates a new LocalCredentials instance with secure storage.
Parameters:
- masterKey: Local master key data (will be stored securely)
Returns:
- *LocalCredentials: New local credentials instance with secure storage
func (*LocalCredentials) Clear ¶
func (c *LocalCredentials) Clear()
Clear clears all stored credentials and zeros sensitive memory.
type Option ¶
type Option func(o *options)
Option is a functional option for configuring options.
func WithMasterKey ¶
WithMasterKey sets the masterKey option.
func WithMasterKeyFile ¶
WithMasterKeyFile sets the masterKeyFile option.
Source Files