README
¶
moov-io/cryptfs
Moov's mission is to give developers an easy way to create and integrate bank processing into their own software products. Our open source projects are each focused on solving a single responsibility in financial services and designed around performance, scalability, and ease of use.
cryptfs implements Go's io/fs.FS interface for interacting with the local filesystem to transparently encrypt/decrypt files. This is useful as a library because it offers applications a well tested routine for keeping data protected.
Project Status
cryptfs is included in multiple open-source projects Moov offers and is used in production environments. Please star the project if you are interested in its progress. If you find any bugs or desire additional encryption/encoding algorithms we would appreciate an issue or pull request. Thanks!
Usage
Cryptfs supports AES and GPG for encryption and Base64 (Standard Raw) encoding. Currently cryptfs is usable as a Go library in your applications. This needs to be initialized prior to reading or writing any files.
AES Cryptor
key := []byte("1234567812345678")) // insecure key
fsys, err := cryptfs.FromCryptor(cryptfs.NewAESCryptor(key))
if err != nil {
// do something
}
fsys.SetCoder(cryptfs.Base64()) // optional, default is the raw bytes
GPG Cryptor
fsys, err := cryptfs.FromCryptor(cryptfs.NewGPGCryptorFile(publicKeyPath, privateKeyPath, password))
if err != nil {
// do something
}
fsys.SetCoder(cryptfs.Base64()) // optional, default is the raw bytes
Once initialized you can perform open/read and write operations.
Open
file, err := fsys.Open(path)
if err != nil {
// do something
}
ReadFile
plaintext, err := fsys.ReadFile(path)
if err != nil {
// do something
}
WriteFile
err := fsys.WriteFile(path, data, 0600)
if err != nil {
// do something
}
Command Line
Moov offers a command line tool for using this library as well. It's handy for operational debugging and testing.
Getting help
| channel | info |
|---|---|
| Twitter @moov | You can follow Moov.io's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories. |
| GitHub Issue | If you are able to reproduce a problem please open a GitHub Issue under the specific project that caused the error. |
| moov-io slack | Join our slack channel to have an interactive discussion about the development of the project. |
Supported and tested platforms
- 64-bit Linux (Ubuntu, Debian), macOS, and Windows
Contributing
Yes please! Please review our Contributing guide and Code of Conduct to get started! Checkout our issues for first time contributors for something to help out with.
This project uses Go Modules and Go v1.18 or newer. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.
License
Apache License 2.0 - See LICENSE for details.
Documentation
¶
Index ¶
- type AESConfig
- type AESCryptor
- type Coder
- type CompressionConfig
- type Compressor
- type Config
- type Cryptor
- func NewGPGCryptor(publicKey, privateKey io.Reader, password []byte) (Cryptor, error)
- func NewGPGCryptorFile(publicKeyPath, privateKeyPath string, password []byte) (Cryptor, error)
- func NewGPGDecryptor(data io.Reader, password []byte) (Cryptor, error)
- func NewGPGDecryptorFile(path string, password []byte) (Cryptor, error)
- func NewGPGEncryptor(data io.Reader) (Cryptor, error)
- func NewGPGEncryptorFile(path string) (Cryptor, error)
- func NoEncryption() Cryptor
- type EncodingConfig
- type EncryptionConfig
- type FS
- func (fsys *FS) Disfigure(plaintext []byte) ([]byte, error)
- func (fsys *FS) Open(name string) (fs.File, error)
- func (fsys *FS) ReadFile(name string) ([]byte, error)
- func (fsys *FS) Reveal(encodedBytes []byte) ([]byte, error)
- func (fsys *FS) SetCoder(coder Coder)
- func (fsys *FS) SetCompression(compressor Compressor)
- func (fsys *FS) SetHMACKey(key []byte)
- func (fsys *FS) WriteFile(filepath string, plaintext []byte, perm fs.FileMode) error
- type GPGConfig
- type GPGCryptor
- type GzipConfig
- type KubernetesConfig
- type TokenConfig
- type VaultConfig
- type VaultCryptor
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AESCryptor ¶
type AESCryptor struct {
// contains filtered or unexported fields
}
func NewAESCryptor ¶
func NewAESCryptor(key []byte) (*AESCryptor, error)
NewAESCryptor returns an Cryptor which performs AES encryption/decryption.
The key must be 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
type Coder ¶
type Coder interface {
// contains filtered or unexported methods
}
Coder is an interface describing two operations which transform data into another format. This can be done to compress or disfigure bytes.
func Base64 ¶
func Base64() Coder
Base64 is a Coder which transforms data following RFC 4648 section 3.2. There are no padding characters added or accepted by this Coder.
type CompressionConfig ¶
type CompressionConfig struct {
Gzip *GzipConfig `json:"gzip" yaml:"gzip"`
}
type Compressor ¶
type Compressor interface {
// contains filtered or unexported methods
}
func Gzip ¶
func Gzip() Compressor
func GzipLevel ¶
func GzipLevel(level int) Compressor
GzipLevel allows callers to specify the compression level. Refer to compress/gzip.DefaultCompression and other values for more details.
func GzipRequired ¶
func GzipRequired(level int) Compressor
GzipRequired forces the Compressor to only allow gzipped data to be decompressed.
Refer to compress/gzip.DefaultCompression and other values for more details on levels.
func NoCompression ¶
func NoCompression() Compressor
type Config ¶
type Config struct {
Compression CompressionConfig `json:"compression" yaml:"compression"`
Encryption EncryptionConfig `json:"encryption" yaml:"encryption"`
Encoding EncodingConfig `json:"encoding" yaml:"encoding"`
HMACKey string `json:"hmacKey" yaml:"hmacKey"`
}
type Cryptor ¶
type Cryptor interface {
// contains filtered or unexported methods
}
func NewGPGCryptor ¶
func NewGPGCryptorFile ¶
func NewGPGEncryptorFile ¶
func NoEncryption ¶
func NoEncryption() Cryptor
type EncodingConfig ¶
type EncodingConfig struct {
Base64 bool `json:"base64" yaml:"base64"`
}
type EncryptionConfig ¶
type EncryptionConfig struct {
AES *AESConfig `json:"aes" yaml:"aes"`
GPG *GPGConfig `json:"gpg" yaml:"gpg"`
Vault *VaultConfig `json:"vault" yaml:"vault"`
}
type FS ¶
type FS struct {
// contains filtered or unexported fields
}
func FromConfig ¶
FromConfig will create a *FS from the given Config
func FromCryptor ¶
FromCryptor returns an FS instance and allows passing the results of creating a Cryptor directly as the arguments.
func New ¶
New returns a FS instance with the specified Cryptor used for all operations.
Note: The defaults are to use no compression and no encryption.
func (*FS) SetCompression ¶
func (fsys *FS) SetCompression(compressor Compressor)
func (*FS) SetHMACKey ¶
type GPGCryptor ¶
type GPGCryptor struct {
// contains filtered or unexported fields
}
type GzipConfig ¶
type KubernetesConfig ¶
type KubernetesConfig struct {
Path string `json:"path" yaml:"path"`
}
type TokenConfig ¶
type TokenConfig struct {
Token string `json:"token" yaml:"token"`
}
type VaultConfig ¶
type VaultConfig struct {
Address string `json:"address" yaml:"address"`
Token *TokenConfig `json:"token" yaml:"token"`
Kubernetes *KubernetesConfig `json:"kubernetes" yaml:"kubernetes"`
// KeyName is the named transit key to use
KeyName string `json:"keyName" yaml:"keyName"`
}
type VaultCryptor ¶
type VaultCryptor struct {
// contains filtered or unexported fields
}
func NewVaultCryptor ¶
func NewVaultCryptor(conf VaultConfig) (*VaultCryptor, error)
func (*VaultCryptor) Healthy ¶
func (v *VaultCryptor) Healthy() error
Source Files
Directories