MCPcopy
hub / github.com/getsops/sops / EncryptContext

Method EncryptContext

gcpkms/keysource.go:170–197  ·  view source on GitHub ↗

EncryptContext takes a SOPS data key, encrypts it with GCP KMS, and stores the result in the EncryptedKey field.

(ctx context.Context, dataKey []byte)

Source from the content-addressed store, hash-verified

168// EncryptContext takes a SOPS data key, encrypts it with GCP KMS, and stores the
169// result in the EncryptedKey field.
170func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
171 service, err := key.newKMSClient(ctx)
172 if err != nil {
173 log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
174 return fmt.Errorf("cannot create GCP KMS service: %w", err)
175 }
176 defer func() {
177 if err := service.Close(); err != nil {
178 log.Error("failed to close GCP KMS client connection")
179 }
180 }()
181
182 req := &kmspb.EncryptRequest{
183 Name: key.ResourceID,
184 Plaintext: dataKey,
185 }
186 resp, err := service.Encrypt(ctx, req)
187 if err != nil {
188 log.WithField("resourceID", key.ResourceID).Info("Encryption failed")
189 return fmt.Errorf("failed to encrypt sops data key with GCP KMS key: %w", err)
190 }
191 // NB: base64 encoding is for compatibility with SOPS <=3.8.x.
192 // The previous GCP KMS client used to work with base64 encoded
193 // strings.
194 key.EncryptedKey = base64.StdEncoding.EncodeToString(resp.Ciphertext)
195 log.WithField("resourceID", key.ResourceID).Info("Encryption succeeded")
196 return nil
197}
198
199// SetEncryptedDataKey sets the encrypted data key for this master key.
200func (key *MasterKey) SetEncryptedDataKey(enc []byte) {

Callers 1

EncryptMethod · 0.95

Calls 3

newKMSClientMethod · 0.95
EncryptMethod · 0.65
ErrorMethod · 0.45

Tested by

no test coverage detected