MCPcopy
hub / github.com/getsops/sops / EncryptContext

Method EncryptContext

hcvault/keysource.go:228–251  ·  view source on GitHub ↗

EncryptContext takes a SOPS data key, encrypts it with Vault Transit, and stores the result in the EncryptedKey field.

(ctx context.Context, dataKey []byte)

Source from the content-addressed store, hash-verified

226// EncryptContext takes a SOPS data key, encrypts it with Vault Transit, and stores
227// the result in the EncryptedKey field.
228func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
229 fullPath := key.encryptPath()
230
231 client, err := vaultClient(key.VaultAddress, key.token, key.httpClient)
232 if err != nil {
233 log.WithField("Path", fullPath).Info("Encryption failed")
234 return err
235 }
236
237 secret, err := client.Logical().WriteWithContext(ctx, fullPath, encryptPayload(dataKey))
238 if err != nil {
239 log.WithField("Path", fullPath).Info("Encryption failed")
240 return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err)
241 }
242 encryptedKey, err := encryptedKeyFromSecret(secret)
243 if err != nil {
244 log.WithField("Path", fullPath).Info("Encryption failed")
245 return fmt.Errorf("failed to encrypt sops data key to Vault transit backend '%s': %w", fullPath, err)
246 }
247
248 key.EncryptedKey = encryptedKey
249 log.WithField("Path", fullPath).Info("Encryption successful")
250 return nil
251}
252
253// EncryptIfNeeded encrypts the provided SOPS data key, if it has not been
254// encrypted yet.

Callers 1

EncryptMethod · 0.95

Calls 4

encryptPathMethod · 0.95
vaultClientFunction · 0.85
encryptPayloadFunction · 0.85
encryptedKeyFromSecretFunction · 0.85

Tested by

no test coverage detected