EncryptContext takes a SOPS data key, encrypts it with Vault Transit, and stores the result in the EncryptedKey field.
(ctx context.Context, dataKey []byte)
| 226 | // EncryptContext takes a SOPS data key, encrypts it with Vault Transit, and stores |
| 227 | // the result in the EncryptedKey field. |
| 228 | func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error { |
| 229 | fullPath := key.encryptPath() |
| 230 | |
| 231 | client, err := vaultClient(key.VaultAddress, key.token, key.httpClient) |
| 232 | if err != nil { |
| 233 | log.WithField("Path", fullPath).Info("Encryption failed") |
| 234 | return err |
| 235 | } |
| 236 | |
| 237 | secret, err := client.Logical().WriteWithContext(ctx, fullPath, encryptPayload(dataKey)) |
| 238 | if err != nil { |
| 239 | log.WithField("Path", fullPath).Info("Encryption failed") |
| 240 | return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) |
| 241 | } |
| 242 | encryptedKey, err := encryptedKeyFromSecret(secret) |
| 243 | if err != nil { |
| 244 | log.WithField("Path", fullPath).Info("Encryption failed") |
| 245 | return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err) |
| 246 | } |
| 247 | |
| 248 | key.EncryptedKey = encryptedKey |
| 249 | log.WithField("Path", fullPath).Info("Encryption successful") |
| 250 | return nil |
| 251 | } |
| 252 | |
| 253 | // EncryptIfNeeded encrypts the provided SOPS data key, if it has not been |
| 254 | // encrypted yet. |
no test coverage detected