MCPcopy
hub / github.com/getsops/sops / UpdateMasterKeysWithKeyServices

Method UpdateMasterKeysWithKeyServices

sops.go:762–829  ·  view source on GitHub ↗

UpdateMasterKeysWithKeyServices encrypts the data key with all master keys using the provided key services

(dataKey []byte, svcs []keyservice.KeyServiceClient)

Source from the content-addressed store, hash-verified

760
761// UpdateMasterKeysWithKeyServices encrypts the data key with all master keys using the provided key services
762func (m *Metadata) UpdateMasterKeysWithKeyServices(dataKey []byte, svcs []keyservice.KeyServiceClient) (errs []error) {
763 if len(svcs) == 0 {
764 return []error{
765 fmt.Errorf("no key services provided, cannot update master keys"),
766 }
767 }
768 if len(m.KeyGroups) == 0 {
769 return []error{
770 fmt.Errorf("no key groups provided"),
771 }
772 }
773 var parts [][]byte
774 if len(m.KeyGroups) == 1 {
775 // If there's only one key group, we can't do Shamir. All keys
776 // in the group encrypt the whole data key.
777 parts = append(parts, dataKey)
778 } else {
779 var err error
780 if m.ShamirThreshold == 0 {
781 m.ShamirThreshold = len(m.KeyGroups)
782 }
783 log.WithFields(logrus.Fields{
784 "quorum": m.ShamirThreshold,
785 "parts": len(m.KeyGroups),
786 }).Info("Splitting data key with Shamir Secret Sharing")
787 parts, err = shamir.Split(dataKey, len(m.KeyGroups), int(m.ShamirThreshold))
788 if err != nil {
789 errs = append(errs, fmt.Errorf("could not split data key into parts for Shamir: %s", err))
790 return
791 }
792 if len(parts) != len(m.KeyGroups) {
793 errs = append(errs, fmt.Errorf("not enough parts obtained from Shamir: need %d, got %d", len(m.KeyGroups), len(parts)))
794 return
795 }
796 }
797 for i, group := range m.KeyGroups {
798 part := parts[i]
799 if len(group) == 0 {
800 return []error{
801 fmt.Errorf("empty key group provided"),
802 }
803 }
804 for _, key := range group {
805 svcKey := keyservice.KeyFromMasterKey(key)
806 var keyErrs []error
807 encrypted := false
808 for _, svc := range svcs {
809 rsp, err := svc.Encrypt(context.Background(), &keyservice.EncryptRequest{
810 Key: &svcKey,
811 Plaintext: part,
812 })
813 if err != nil {
814 keyErrs = append(keyErrs, fmt.Errorf("failed to encrypt new data key with master key %q: %w", key.ToString(), err))
815 continue
816 }
817 key.SetEncryptedDataKey(rsp.Ciphertext)
818 encrypted = true
819 // Only need to encrypt the key successfully with one service

Callers 6

UpdateMasterKeysMethod · 0.95
DeleteFunction · 0.80
AddFunction · 0.80
updateFileFunction · 0.80

Calls 5

SplitFunction · 0.92
KeyFromMasterKeyFunction · 0.92
EncryptMethod · 0.65
ToStringMethod · 0.65
SetEncryptedDataKeyMethod · 0.65

Tested by

no test coverage detected