CreateMultipartMetadata adds the multipart flag entry to metadata and returns modifed metadata.

DecryptSinglePart decrypts an io.Writer which must an object uploaded with the single-part PUT API.

EnabledKes returns true if kes as KMS is enabled.

EnabledVault returns true if HashiCorp Vault is enabled.

EncryptMultiPart encrypts an io.Reader which must be the body of multi-part PUT request.

EncryptSinglePart encrypts an io.Reader which must be the the body of a single-part PUT request.

Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type crypto.Error.

GenerateIV generates a new random 256 bit IV from the provided source of randomness.

GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness.

IsEncrypted returns true if the object metadata indicates that it was uploaded using some form of server-side-encryption.

IsETagSealed returns true if the etag seems to be encrypted.

IsMultiPart returns true if the object metadata indicates that it was uploaded using some form of server-side-encryption and the S3 multipart API.

IsRequested returns true and the SSE Type if the HTTP headers indicate that some form server-side encryption is requested.

IsSourceEncrypted returns true if the source is encrypted.

LinearJitterBackoff provides the time.Duration for a caller to perform linear backoff based on the attempt number and with jitter to prevent a thundering herd.

LookupConfig lookup vault or kes config, returns KMSConfig to configure KMS object for object encryption.

LookupKesConfig lookup kes server configuration.

LookupVaultConfig extracts the KMS configuration provided by environment variables and merge them with the provided KMS configuration.

NewKes returns a new kes KMS client.

NewKESError returns a new KES API error with the given HTTP status code and error message.

NewKMS - initialize a new KMS.

NewMasterKey returns a basic KMS implementation from a single 256 bit master key.

NewVault initializes Hashicorp Vault KMS by authenticating to Vault with the credentials in config and gets a client token for future api calls.

ParseMasterKey parses the value of the environment variable `EnvKMSMasterKey` and returns a key-ID and a master-key KMS on success.

RemoveInternalEntries removes all crypto-specific internal metadata entries from the metadata map.

RemoveSensitiveEntries removes confidential encryption information - e.g.

RemoveSensitiveHeaders removes confidential encryption information - e.g.

RemoveSSEHeaders removes all crypto-specific SSE header entries from the metadata map.

SetKMSConfig helper to migrate from older KMSConfig to new KV.

EnvAutoEncryptionLegacy is the environment variable used to en/disable SSE-S3 auto-encryption.

EnvKMSAutoEncryption is the environment variable used to en/disable SSE-S3 auto-encryption.

EnvKMSKesCAPath is the environment variable used to specify the TLS root certificates used by MinIO to verify the certificate presented by to the kes server when establishing a TLS connection.

EnvKMSKesCertFile is the environment variable used to specify the TLS certificate used by MinIO to authenticate to the kes server HTTPS via mTLS.

EnvKMSKesEndpoint is the environment variable used to specify one or multiple KES server HTTPS endpoints.

EnvKMSKesKeyFile is the environment variable used to specify the TLS private key used by MinIO to authenticate to the kes server HTTPS via mTLS.

EnvKMSKesKeyName is the environment variable used to specify the (default) key at the kes server.

EnvKMSMasterKey is the environment variable used to specify a KMS master key used to protect SSE-S3 per-object keys.

EnvKMSMasterKeyLegacy is the environment variable used to specify a KMS master key used to protect SSE-S3 per-object keys.

EnvKMSVaultAppRoleID is the environment variable used to specify the vault AppRole ID.

EnvKMSVaultAppSecretID is the environment variable used to specify the vault AppRole secret corresponding to the AppRole ID.

EnvKMSVaultAuthType is the environment variable used to specify the authentication type for vault.

EnvKMSVaultCAPath is the environment variable used to specify the path to a directory of PEM-encoded CA cert files.

EnvKMSVaultEndpoint is the environment variable used to specify the vault HTTPS endpoint.

EnvKMSVaultKeyName is the environment variable used to specify the vault named key-ring.

EnvKMSVaultKeyVersion is the environment variable used to specify the vault key version.

EnvKMSVaultNamespace is the environment variable used to specify vault namespace.

EnvLegacyVaultAppRoleID is the environment variable used to specify the vault AppRole ID.

EnvLegacyVaultAppSecretID is the environment variable used to specify the vault AppRole secret corresponding to the AppRole ID.

EnvLegacyVaultAuthType is the environment variable used to specify the authentication type for vault.

EnvLegacyVaultCAPath is the environment variable used to specify the path to a directory of PEM-encoded CA cert files.

EnvLegacyVaultEndpoint is the environment variable used to specify the vault HTTPS endpoint.

EnvLegacyVaultKeyName is the environment variable used to specify the vault named key-ring.

EnvLegacyVaultKeyVersion is the environment variable used to specify the vault key version.

EnvLegacyVaultNamespace is the environment variable used to specify vault namespace.

InsecureSealAlgorithm is the legacy encryption/sealing algorithm used to derive & seal the key-encryption-key and to en/decrypt the object data.

KMS kes constants.

KMS kes constants.

KMS kes constants.

KMS kes constants.

KMS kes constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

KMS Vault constants.

MetaAlgorithm is the algorithm used to derive internal keys and encrypt the objects.

MetaDataEncryptionKey is the sealed data encryption key (DEK) received from the KMS.

MetaIV is the random initialization vector (IV) used for the MinIO-internal key derivation.

MetaKeyID is the KMS master key ID used to generate/encrypt the data encryption key (DEK).

MetaMultipart indicates that the object has been uploaded in multiple parts - via the S3 multipart API.

MetaSealedKeyKMS is the sealed object encryption key in case of SSE-KMS.

MetaSealedKeyS3 is the sealed object encryption key in case of SSE-S3.

MetaSealedKeySSEC is the sealed object encryption key in case of SSE-C.

SealAlgorithm is the encryption/sealing algorithm used to derive & seal the key-encryption-key and to en/decrypt the object data.

DefaultKVS - default KV crypto config.

DefaultKVS - default KV crypto config.

ErrCustomerKeyMD5Mismatch indicates that the SSE-C key MD5 does not match the computed MD5 sum.

ErrIncompatibleEncryptionMethod indicates that both SSE-C headers and SSE-S3 headers were specified, and are incompatible The client needs to remove the SSE-S3 header or the SSE-C headers.

ErrInvalidCustomerAlgorithm indicates that the specified SSE-C algorithm is not supported.

ErrInvalidCustomerKey indicates that the SSE-C client key is not valid - e.g.

ErrInvalidEncryptionMethod indicates that the specified SSE encryption method is not supported.

ErrKESKeyExists is the error returned a KES server when a master key does exist.

ErrKMSAuthLogin is raised when there is a failure authenticating to KMS.

ErrMissingCustomerKey indicates that the HTTP headers contains no SSE-C client key.

ErrMissingCustomerKeyMD5 indicates that the HTTP headers contains no SSE-C client key MD5 checksum.

ErrSecretKeyMismatch indicates that the provided secret key (SSE-C client key / SSE-S3 KMS key) does not match the secret key used during encrypting the object.

Help template for KMS vault.

Help template for KMS vault.

S3 represents AWS SSE-S3.

S3KMS represents AWS SSE-KMS.

SSEC represents AWS SSE-C.

SSECopy represents AWS SSE-C for copy requests.

Error is the generic type for any error happening during decrypting an object.

KesConfig contains the configuration required to initialize and connect to a kes server.

KMSConfig has the KMS config for hashicorp vault.

KMSInfo contains some describing information about the KMS.

SealedKey represents a sealed object key.

VaultAppRole represents vault AppRole authentication credentials.

VaultAuth represents vault authentication type.

VaultConfig represents vault configuration.

VaultKey represents vault encryption key-ring.

KMS represents an active and authenticted connection to a Key-Management-Service.

Type represents an AWS SSE type: • SSE-C • SSE-S3 • SSE-KMS.

Context is a list of key-value pairs cryptographically associated with a certain object.

ObjectKey is a 256 bit secret key used to encrypt the object.