DecryptContext decrypts the EncryptedKey with a newly created AWS KMS config, and returns the result.
(ctx context.Context)
| 317 | // DecryptContext decrypts the EncryptedKey with a newly created AWS KMS config, and |
| 318 | // returns the result. |
| 319 | func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) { |
| 320 | k, err := base64.StdEncoding.DecodeString(key.EncryptedKey) |
| 321 | if err != nil { |
| 322 | log.WithField("arn", key.Arn).Info("Decryption failed") |
| 323 | return nil, fmt.Errorf("error base64-decoding encrypted data key: %s", err) |
| 324 | } |
| 325 | cfg, err := key.createKMSConfig(ctx) |
| 326 | if err != nil { |
| 327 | log.WithField("arn", key.Arn).Info("Decryption failed") |
| 328 | return nil, err |
| 329 | } |
| 330 | client := key.createClient(cfg) |
| 331 | input := &kms.DecryptInput{ |
| 332 | KeyId: &key.Arn, |
| 333 | CiphertextBlob: k, |
| 334 | EncryptionContext: stringPointerToStringMap(key.EncryptionContext), |
| 335 | } |
| 336 | decrypted, err := client.Decrypt(ctx, input) |
| 337 | if err != nil { |
| 338 | log.WithField("arn", key.Arn).Info("Decryption failed") |
| 339 | return nil, fmt.Errorf("failed to decrypt sops data key with AWS KMS: %w", err) |
| 340 | } |
| 341 | log.WithField("arn", key.Arn).Info("Decryption succeeded") |
| 342 | return decrypted.Plaintext, nil |
| 343 | } |
| 344 | |
| 345 | // NeedsRotation returns whether the data key needs to be rotated or not. |
| 346 | func (key *MasterKey) NeedsRotation() bool { |
no test coverage detected