DecryptContext decrypts the EncryptedKey field with Vault Transit and returns the result.
(ctx context.Context)
| 278 | |
| 279 | // DecryptContext decrypts the EncryptedKey field with Vault Transit and returns the result. |
| 280 | func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) { |
| 281 | fullPath := key.decryptPath() |
| 282 | |
| 283 | client, err := vaultClient(key.VaultAddress, key.token, key.httpClient) |
| 284 | if err != nil { |
| 285 | log.WithField("Path", fullPath).Info("Decryption failed") |
| 286 | return nil, err |
| 287 | } |
| 288 | |
| 289 | secret, err := client.Logical().WriteWithContext(ctx, fullPath, decryptPayload(key.EncryptedKey)) |
| 290 | if err != nil { |
| 291 | log.WithField("Path", fullPath).Info("Decryption failed") |
| 292 | return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) |
| 293 | } |
| 294 | dataKey, err := dataKeyFromSecret(secret) |
| 295 | if err != nil { |
| 296 | log.WithField("Path", fullPath).Info("Decryption failed") |
| 297 | return nil, fmt.Errorf("failed to decrypt sops data key from Vault transit backend '%s': %w", fullPath, err) |
| 298 | } |
| 299 | |
| 300 | log.WithField("Path", fullPath).Info("Decryption successful") |
| 301 | return dataKey, nil |
| 302 | } |
| 303 | |
| 304 | // NeedsRotation returns whether the data key needs to be rotated or not. |
| 305 | func (key *MasterKey) NeedsRotation() bool { |
no test coverage detected