Categorygithub.com/bincyber/go-sqlcrypterprovidersvault
package
0.2.0
Repository: https://github.com/bincyber/go-sqlcrypter.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
8
Dependents
0
Files
112 SLOC

# README

HashiCorp Vault

HashiCorp Vault using the Transit Secrets Engine for encryption as a service.

Quick Start

Sample Terraform code is available in testing/terraform/vault to try this provider.

Example

package main

import (
	vaultapi "github.com/hashicorp/vault/api"

	"github.com/bincyber/go-sqlcrypter"
	"github.com/bincyber/go-sqlcrypter/providers/vault"
)

func main() {
	// Token will be read from VAULT_TOKEN envvar
	client, err := vaultapi.NewClient(&vaultapi.Config{
		Address: "http://localhost:8200",
	})
	if err != nil {
		// handle error
	}

	vaultCrypter, err := vault.New(client, "transit", "go-sqlcrypter")
	if err != nil {
		// handle err
	}

	sqlcrypter.Init(vaultCrypter)
}

Encryption as a Service

Encryption and decryption of sensitive data is entirely delegated to Vault. The Encrypt and Decrypt endpoints of the Transit secrets engine are used. The data encryption key (DEK) is never accessed by the application. Vault also does not store the data sent to the Transit secrets engine.

Convergent Encryption

Convergent Encryption is not supported at this time.

# Functions

New creates a new Vault crypter configured to encrypt data using the Transit secrets engine at the specified mount path and key.

# Structs

VaultCrypter is an implementation of the Crypterer interface using HashiCorp Vault's Transit secrets engine.