Categorygithub.com/bincyber/go-sqlcrypterprovidersvault
package
0.2.0
Repository: https://github.com/bincyber/go-sqlcrypter.git
Documentation: pkg.go.dev
Overview
Dependencies
8
Dependents
0

# README

HashiCorp Vault

HashiCorp Vault using the Transit Secrets Engine for encryption as a service.

Quick Start

Sample Terraform code is available in testing/terraform/vault to try this provider.

Example

package main

import (
	vaultapi "github.com/hashicorp/vault/api"

	"github.com/bincyber/go-sqlcrypter"
	"github.com/bincyber/go-sqlcrypter/providers/vault"
)

func main() {
	// Token will be read from VAULT_TOKEN envvar
	client, err := vaultapi.NewClient(&vaultapi.Config{
		Address: "http://localhost:8200",
	})
	if err != nil {
		// handle error
	}

	vaultCrypter, err := vault.New(client, "transit", "go-sqlcrypter")
	if err != nil {
		// handle err
	}

	sqlcrypter.Init(vaultCrypter)
}

Encryption as a Service

Encryption and decryption of sensitive data is entirely delegated to Vault. The Encrypt and Decrypt endpoints of the Transit secrets engine are used. The data encryption key (DEK) is never accessed by the application. Vault also does not store the data sent to the Transit secrets engine.

Convergent Encryption

Convergent Encryption is not supported at this time.