Awesome
AWS Encryption SDK for Go
This project is an implementation of the AWS Encryption SDK for the Go programming language, providing a set of libraries for developers to easily add encryption and decryption functionality to their Go applications. This implementation is inspired by the aws-encryption-sdk-python and follows the AWS Encryption SDK specification closely.
Motivation
The motivation behind this project was the absence of a Go implementation of the AWS Encryption SDK. This SDK aims to fill that gap, offering Go developers the tools to implement encryption according to AWS standards.
Features
- Support for Message Format Version 1 and 2 and related algorithms.
- AWS KMS Master Key Provider with a discovery filter.
- AWS KMS Multi-Region Keys using MRK-aware provider in Discovery or Strict mode.
- Raw Master Key provider using static keys.
- Comprehensive end-to-end tests ensuring compatibility with
aws-encryption-sdk-cli. - 100% code coverage with tests.
Current Limitations
- Does not support the Caching Materials Manager feature yet.
- Does not support KMS aliases at this stage.
- Raw Master Key provider does not support RSA encryption.
- Only framed content type is supported.
Requirements
- Go v1.21 or later.
- AWS SDK for Go v2
Installation
To install the AWS Encryption SDK for Go, use the following command:
$ go get github.com/chainifynet/aws-encryption-sdk-go@latest
Usage
This SDK provides a straightforward interface for encrypting and decrypting data.
For advanced use cases, check examples.
Setting Up the Client
First, set up the client with the necessary configuration.
Default Client Configuration
import (
"github.com/chainifynet/aws-encryption-sdk-go/client"
"github.com/chainifynet/aws-encryption-sdk-go/clientconfig"
"github.com/chainifynet/aws-encryption-sdk-go/materials"
"github.com/chainifynet/aws-encryption-sdk-go/providers/kmsprovider"
"github.com/chainifynet/aws-encryption-sdk-go/providers/rawprovider"
"github.com/chainifynet/aws-encryption-sdk-go/suite"
)
// setup Encryption SDK client with default config
sdkClient := client.NewClient()
Custom Client Configuration (advanced)
You can specify the commitment policy and the limit of maximum encrypted data keys.
// setup Encryption SDK client with custom client config
cfg, err := clientconfig.NewConfigWithOpts(
clientconfig.WithCommitmentPolicy(suite.CommitmentPolicyRequireEncryptRequireDecrypt),
clientconfig.WithMaxEncryptedDataKeys(3),
)
if err != nil {
panic(err) // handle error
}
// setup Encryption SDK client with a custom config
sdkClient := client.NewClientWithConfig(cfg)
Prepare the Key Provider
Raw Key Provider using static keys
rawKeyProvider, err := rawprovider.NewWithOpts(
"raw",
providers.WithStaticKey("static1", []byte("superSecureKeySecureKey32bytes32")),
)
if err != nil {
panic("raw key provider setup failed") // handle error
}
KMS Key Provider using KMS CMKs
You can optionally enable discovery or specify a discovery filter.
// KMS key ARN to be used for encryption and decryption
kmsKeyArn := "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
// setup KMS key provider
kmsKeyProvider, err := kmsprovider.New(kmsKeyArn)
if err != nil {
panic("kms key provider setup failed") // handle error
}
Create the Crypto Materials Manager
You can use either the KMS Key Provider, Raw Key Provider, or both combining them.
Crypto Materials Manager with the Raw Key Provider
cmm, err := materials.NewDefault(rawKeyProvider)
if err != nil {
panic("materials manager setup failed") // handle error
}
Crypto Materials Manager with KMS Key Provider
cmm, err := materials.NewDefault(kmsKeyProvider)
if err != nil {
panic("materials manager setup failed") // handle error
}
Crypto Materials Manager using both KMS and Raw Key Providers
cmm, err := materials.NewDefault(kmsKeyProvider, rawKeyProvider)
if err != nil {
panic("materials manager setup failed") // handle error
}
Encrypting Data
To encrypt data, call the Encrypt method on the client.
// define the encryption context, which is a set of key-value pairs that represent additional authenticated data
encryptionContext := map[string]string{
"purpose": "test",
}
// data to encrypt
secretData := []byte("secret data to encrypt")
// encrypt data
ciphertext, header, err := sdkClient.Encrypt(
context.TODO(),
secretData,
encryptionContext,
cmm,
)
if err != nil {
panic("encryption failed") // handle error
}
Decrypting Data
To decrypt data, use the Decrypt method on the client.
// decrypt data
plaintext, header, err := sdkClient.Decrypt(context.TODO(), ciphertext, cmm)
if err != nil {
panic("decryption failed") // handle error
}
TODO
- Add support for Caching Materials Manager.
- Add support for Message Format Version 1 #170.
- Add support for AWS KMS Multi-Region Keys #46.
- Add support for KMS aliases.
- Cover
providerspackage with tests. - Cover
keyspackage with tests. - Cover
materialspackage with tests. - GoDoc documentation #294.
- Streamlined encryption and decryption.
Support and Contributions
If you encounter any issues or would like to contribute to the project, please submit an issue or pull request on GitHub.
License
This SDK is licensed under the Apache License 2.0. See the LICENSE file for details.
For more information on how to use this SDK, please refer to the example directory and the detailed API reference in the documentation.
Stay tuned for further updates and features. Contributions and feedback are welcome!
