EncryptContext takes a SOPS data key, encrypts it with KMS and stores the result in the EncryptedKey field.
(ctx context.Context, dataKey []byte)
| 266 | // EncryptContext takes a SOPS data key, encrypts it with KMS and stores the result |
| 267 | // in the EncryptedKey field. |
| 268 | func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error { |
| 269 | cfg, err := key.createKMSConfig(ctx) |
| 270 | if err != nil { |
| 271 | log.WithField("arn", key.Arn).Info("Encryption failed") |
| 272 | return err |
| 273 | } |
| 274 | client := key.createClient(cfg) |
| 275 | input := &kms.EncryptInput{ |
| 276 | KeyId: &key.Arn, |
| 277 | Plaintext: dataKey, |
| 278 | EncryptionContext: stringPointerToStringMap(key.EncryptionContext), |
| 279 | } |
| 280 | out, err := client.Encrypt(ctx, input) |
| 281 | if err != nil { |
| 282 | log.WithField("arn", key.Arn).Info("Encryption failed") |
| 283 | return fmt.Errorf("failed to encrypt sops data key with AWS KMS: %w", err) |
| 284 | } |
| 285 | key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob) |
| 286 | log.WithField("arn", key.Arn).Info("Encryption succeeded") |
| 287 | return nil |
| 288 | } |
| 289 | |
| 290 | // EncryptIfNeeded encrypts the provided SOPS data key, if it has not been |
| 291 | // encrypted yet. |
no test coverage detected