GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness.

IsETagSealed returns true if the etag seems to be encrypted.

NewVault initializes Hashicorp Vault KMS by authenticating to Vault with the credentials in KMSConfig, and gets a client token for future api calls.

NewVaultConfig sets KMSConfig from environment variables and performs validations.

RemoveSensitiveEntries removes confidential encryption information - e.g.

RemoveSensitiveHeaders removes confidential encryption information - e.g.

30 days.

SSEAlgorithmAES256 is the only supported value for the SSE-S3 or SSE-C algorithm header.

SSEAlgorithmKMS is the value of 'X-Amz-Server-Side-Encryption' for SSE-KMS.

SSECAlgorithm is the HTTP header key referencing the SSE-C algorithm.

SSECKey is the HTTP header key referencing the SSE-C client-provided key..

SSECKeyMD5 is the HTTP header key referencing the MD5 sum of the client-provided key.

SSECopyAlgorithm is the HTTP header key referencing the SSE-C algorithm for SSE-C copy requests.

SSECopyKey is the HTTP header key referencing the SSE-C client-provided key for SSE-C copy requests.

SSECopyKeyMD5 is the HTTP header key referencing the MD5 sum of the client key for SSE-C copy requests.

SSEHeader is the general AWS SSE HTTP header key.

SSEKmsContext is the HTTP header key referencing the SSE-KMS encryption context.

SSEKmsID is the HTTP header key referencing the SSE-KMS key ID.

ErrCustomerKeyMD5Mismatch indicates that the SSE-C key MD5 does not match the computed MD5 sum.

ErrIncompatibleEncryptionMethod indicates that both SSE-C headers and SSE-S3 headers were specified, and are incompatible The client needs to remove the SSE-S3 header or the SSE-C headers.

ErrInvalidCustomerAlgorithm indicates that the specified SSE-C algorithm is not supported.

ErrInvalidCustomerKey indicates that the SSE-C client key is not valid - e.g.

ErrInvalidEncryptionMethod indicates that the specified SSE encryption method is not supported.

ErrKMSAuthLogin is raised when there is a failure authenticating to KMS.

ErrMissingCustomerKey indicates that the HTTP headers contains no SSE-C client key.

ErrMissingCustomerKeyMD5 indicates that the HTTP headers contains no SSE-C client key MD5 checksum.

ErrSecretKeyMismatch indicates that the provided secret key (SSE-C client key / SSE-S3 KMS key) does not match the secret key used during encrypting the object.

S3 represents AWS SSE-S3.

S3KMS represents AWS SSE-KMS.

SSEC represents AWS SSE-C.

SSECopy represents AWS SSE-C for copy requests.

Error is the generic type for any error happening during decrypting an object.

KMSConfig has the KMS config for hashicorp vault.

SealedKey represents a sealed object key.

VaultAppRole represents vault approle credentials.

VaultAuth represents vault auth type to use.

VaultConfig holds config required to start vault service.

VaultKey represents vault encryption key-id name & version.

KMS represents an active and authenticted connection to a Key-Management-Service.

Context is a list of key-value pairs cryptographically associated with a certain object.

ObjectKey is a 256 bit secret key used to encrypt the object.