EncryptContext takes a SOPS data key, encrypts it with GCP KMS, and stores the result in the EncryptedKey field.
(ctx context.Context, dataKey []byte)
| 168 | // EncryptContext takes a SOPS data key, encrypts it with GCP KMS, and stores the |
| 169 | // result in the EncryptedKey field. |
| 170 | func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error { |
| 171 | service, err := key.newKMSClient(ctx) |
| 172 | if err != nil { |
| 173 | log.WithField("resourceID", key.ResourceID).Info("Encryption failed") |
| 174 | return fmt.Errorf("cannot create GCP KMS service: %w", err) |
| 175 | } |
| 176 | defer func() { |
| 177 | if err := service.Close(); err != nil { |
| 178 | log.Error("failed to close GCP KMS client connection") |
| 179 | } |
| 180 | }() |
| 181 | |
| 182 | req := &kmspb.EncryptRequest{ |
| 183 | Name: key.ResourceID, |
| 184 | Plaintext: dataKey, |
| 185 | } |
| 186 | resp, err := service.Encrypt(ctx, req) |
| 187 | if err != nil { |
| 188 | log.WithField("resourceID", key.ResourceID).Info("Encryption failed") |
| 189 | return fmt.Errorf("failed to encrypt sops data key with GCP KMS key: %w", err) |
| 190 | } |
| 191 | // NB: base64 encoding is for compatibility with SOPS <=3.8.x. |
| 192 | // The previous GCP KMS client used to work with base64 encoded |
| 193 | // strings. |
| 194 | key.EncryptedKey = base64.StdEncoding.EncodeToString(resp.Ciphertext) |
| 195 | log.WithField("resourceID", key.ResourceID).Info("Encryption succeeded") |
| 196 | return nil |
| 197 | } |
| 198 | |
| 199 | // SetEncryptedDataKey sets the encrypted data key for this master key. |
| 200 | func (key *MasterKey) SetEncryptedDataKey(enc []byte) { |
no test coverage detected