CreateMultipartMetadata adds the multipart flag entry to metadata and returns modifed metadata.

DecryptSinglePart decrypts an io.Writer which must an object uploaded with the single-part PUT API.

EncryptMultiPart encrypts an io.Reader which must be the body of multi-part PUT request.

EncryptSinglePart encrypts an io.Reader which must be the the body of a single-part PUT request.

GenerateIV generates a new random 256 bit IV from the provided source of randomness.

GenerateKey generates a unique ObjectKey from a 256 bit external key and a source of randomness.

IsEncrypted returns true if the object metadata indicates that it was uploaded using some form of server-side-encryption.

IsETagSealed returns true if the etag seems to be encrypted.

IsMultiPart returns true if the object metadata indicates that it was uploaded using some form of server-side-encryption and the S3 multipart API.

NewKMS returns a basic KMS implementation from a single 256 bit master key.

NewVault initializes Hashicorp Vault KMS by authenticating to Vault with the credentials in config and gets a client token for future api calls.

RemoveInternalEntries removes all crypto-specific internal metadata entries from the metadata map.

RemoveSensitiveEntries removes confidential encryption information - e.g.

RemoveSensitiveHeaders removes confidential encryption information - e.g.

RemoveSSEHeaders removes all crypto-specific SSE header entries from the metadata map.

InsecureSealAlgorithm is the legacy encryption/sealing algorithm used to derive & seal the key-encryption-key and to en/decrypt the object data.

S3KMSKeyID is the metadata key referencing the KMS key-id used to generate/decrypt the S3-KMS-Sealed-Key.

S3KMSSealedKey is the metadata key referencing the encrypted key generated by KMS.

S3SealedKey is the metadata key referencing the sealed object-key for SSE-S3.

SealAlgorithm is the encryption/sealing algorithm used to derive & seal the key-encryption-key and to en/decrypt the object data.

SSEAlgorithmAES256 is the only supported value for the SSE-S3 or SSE-C algorithm header.

SSEAlgorithmKMS is the value of 'X-Amz-Server-Side-Encryption' for SSE-KMS.

SSECAlgorithm is the HTTP header key referencing the SSE-C algorithm.

SSECKey is the HTTP header key referencing the SSE-C client-provided key..

SSECKeyMD5 is the HTTP header key referencing the MD5 sum of the client-provided key.

SSECopyAlgorithm is the HTTP header key referencing the SSE-C algorithm for SSE-C copy requests.

SSECopyKey is the HTTP header key referencing the SSE-C client-provided key for SSE-C copy requests.

SSECopyKeyMD5 is the HTTP header key referencing the MD5 sum of the client key for SSE-C copy requests.

SSECSealedKey is the metadata key referencing the sealed object-key for SSE-C.

SSEHeader is the general AWS SSE HTTP header key.

SSEIV is the metadata key referencing the random initialization vector (IV) used for SSE-S3 and SSE-C key derivation.

SSEKmsContext is the HTTP header key referencing the SSE-KMS encryption context.

SSEKmsID is the HTTP header key referencing the SSE-KMS key ID.

SSEMultipart is the metadata key indicating that the object was uploaded using the S3 multipart API and stored using some from of server-side-encryption.

SSESealAlgorithm is the metadata key referencing the algorithm used by SSE-C and SSE-S3 to encrypt the object.

ErrCustomerKeyMD5Mismatch indicates that the SSE-C key MD5 does not match the computed MD5 sum.

ErrIncompatibleEncryptionMethod indicates that both SSE-C headers and SSE-S3 headers were specified, and are incompatible The client needs to remove the SSE-S3 header or the SSE-C headers.

ErrInvalidCustomerAlgorithm indicates that the specified SSE-C algorithm is not supported.

ErrInvalidCustomerKey indicates that the SSE-C client key is not valid - e.g.

ErrInvalidEncryptionMethod indicates that the specified SSE encryption method is not supported.

ErrKMSAuthLogin is raised when there is a failure authenticating to KMS.

ErrMissingCustomerKey indicates that the HTTP headers contains no SSE-C client key.

ErrMissingCustomerKeyMD5 indicates that the HTTP headers contains no SSE-C client key MD5 checksum.

ErrSecretKeyMismatch indicates that the provided secret key (SSE-C client key / SSE-S3 KMS key) does not match the secret key used during encrypting the object.

S3 represents AWS SSE-S3.

S3KMS represents AWS SSE-KMS.

SSEC represents AWS SSE-C.

SSECopy represents AWS SSE-C for copy requests.

Error is the generic type for any error happening during decrypting an object.

KMSConfig has the KMS config for hashicorp vault.

SealedKey represents a sealed object key.

VaultAppRole represents vault AppRole authentication credentials.

VaultAuth represents vault authentication type.

VaultConfig represents vault configuration.

VaultKey represents vault encryption key-ring.

KMS represents an active and authenticted connection to a Key-Management-Service.

Context is a list of key-value pairs cryptographically associated with a certain object.

ObjectKey is a 256 bit secret key used to encrypt the object.