MCPcopy
hub / github.com/getsops/sops / EncryptContext

Method EncryptContext

kms/keysource.go:268–288  ·  view source on GitHub ↗

EncryptContext takes a SOPS data key, encrypts it with KMS and stores the result in the EncryptedKey field.

(ctx context.Context, dataKey []byte)

Source from the content-addressed store, hash-verified

266// EncryptContext takes a SOPS data key, encrypts it with KMS and stores the result
267// in the EncryptedKey field.
268func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
269 cfg, err := key.createKMSConfig(ctx)
270 if err != nil {
271 log.WithField("arn", key.Arn).Info("Encryption failed")
272 return err
273 }
274 client := key.createClient(cfg)
275 input := &kms.EncryptInput{
276 KeyId: &key.Arn,
277 Plaintext: dataKey,
278 EncryptionContext: stringPointerToStringMap(key.EncryptionContext),
279 }
280 out, err := client.Encrypt(ctx, input)
281 if err != nil {
282 log.WithField("arn", key.Arn).Info("Encryption failed")
283 return fmt.Errorf("failed to encrypt sops data key with AWS KMS: %w", err)
284 }
285 key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob)
286 log.WithField("arn", key.Arn).Info("Encryption succeeded")
287 return nil
288}
289
290// EncryptIfNeeded encrypts the provided SOPS data key, if it has not been
291// encrypted yet.

Callers 1

EncryptMethod · 0.95

Calls 4

createKMSConfigMethod · 0.95
createClientMethod · 0.95
stringPointerToStringMapFunction · 0.85
EncryptMethod · 0.65

Tested by

no test coverage detected