github.com/godaddy/asherah/go/appencryption
Package appencryption contains the implementation to securely persist and encrypt data in the public cloud. Your main interaction with the library will most likely be the SessionFactory which should be created on application start up and stored for the lifetime of the app. A session should closed as close as possible to the creation of the session. It should also be short lived to avoid running into the limits on the amount of memory that can be locked. See mlock documentation on how to set/check the current limits. It can also be checked using ulimit.
Readme
Application level envelope encryption SDK for Golang with support for cloud-agnostic data storage and key management.
package main
import (
"context"
"github.com/godaddy/asherah/go/appencryption"
"github.com/godaddy/asherah/go/appencryption/pkg/crypto/aead"
"github.com/godaddy/asherah/go/appencryption/pkg/kms"
"github.com/godaddy/asherah/go/appencryption/pkg/persistence"
)
func main() {
crypto := aead.NewAES256GCM()
config := &appencryption.Config{
Service: "reference_app",
Product: "productId",
Policy: appencryption.NewCryptoPolicy(),
}
metastore := persistence.NewMemoryMetastore()
key, err := kms.NewStatic("thisIsAStaticMasterKeyForTesting", crypto)
if err != nil {
panic(err)
}
// Create a session factory. The builder steps used below are for testing only.
factory := appencryption.NewSessionFactory(config, metastore, key, crypto)
defer factory.Close()
// Now create a cryptographic session for a partition.
sess, err := factory.GetSession("shopper123")
if err != nil {
panic(err)
}
// Close frees the memory held by the intermediate keys used in this session
defer sess.Close()
// Now encrypt some data
dataRow, err := sess.Encrypt(context.Background(), []byte("mysupersecretpayload"))
if err != nil {
panic(err)
}
//Decrypt the data
data, err := sess.Decrypt(context.Background(), *dataRow)
if err != nil {
panic(err)
}
}
A more extensive example is the Reference Application, which will evolve along with the SDK.
Before you can start encrypting data, you need to define Asherah's required pluggable components. Below we show how to build the various options for each component.
Detailed information about the Metastore, including any provisioning steps, can be found here.
Asherah can connect to a relational database by accepting a connection string and opening a connection to the database using a database driver name. See https://golang.org/s/sqldrivers for a list of third-party drivers.
// Open a DB connection using a database driver name and connection string
connectionString := ...;
// Parse the DSN string to a Config
dsn, err := mysql.ParseDSN(connectionString)
if err != nil {
return err
}
// Open a connection to the database using the driver name and the connection string
db, err := sql.Open("driver-name", dsn.FormatDSN())
if err != nil {
return err
}
// Build the Metastore
metastore := persistence.NewSQLMetastore(db)
You can also use the WithSQLMetastoreDBType option to configure the metastore for use with a
specific type of database/sql driver. This is required when using an Oracle or PostgreSQL database.
// Build the Metastore for use with a Postgres DB
metastore := persistence.NewSQLMetastore(
db,
persistence.WithSQLMetastoreDBType(persistence.Postgres),
)
awsConfig := &aws.Config{
Region: aws.String("us-west-2"), // specify preferred region here
}
sess, err = session.NewSession(awsConfig)
if err != nil {
panic(err)
}
// To configure an endpoint
awsConfig.Endpoint = aws.String("http://localhost:8000"),
You can also either use the WithXXX functional options to configure the metastore properties.
// Build the Metastore
metastore := persistence.NewDynamoDBMetastore(
sess,
persistence.WithDynamoDBRegionSuffix(true),
persistence.WithTableName("CustomTableName") ,
)
metastore := persistence.NewMemoryMetastore()
Detailed information about the Key Management Service can be found here.
// Create a map of region and ARN pairs that will all be used when creating a System Key
regionArnMap := map[string]string {
"us-west-2": "ARN FOR US-WEST-2",
"us-east-2": "ARN FOR US-EAST-2",
"eu-west-2": "ARN FOR EU-WEST-2",
...,
}
crypto := aead.NewAES256GCM()
// Build the Key Management Service using the region dictionary and your preferred (usually current) region
keyManagementService := kms.NewAWS(crypto, "us-west-2", regionArnMap)
crypto := aead.NewAES256GCM()
keyManagementService := kms.NewStatic("thisIsAStaticMasterKeyForTesting", crypto)
Detailed information on Crypto Policy can be found here. The Crypto Policy's effect on key caching is explained here.
cryptoPolicy := appencryption.NewCryptoPolicy()
The default key expiration limit is 90 days and revoke check interval is 60 minutes. These can be changed using functional options.
cryptoPolicy := appencryption.NewCryptoPolicy(
appencryption.WithExpireAfterDuration(24 * time.Hour),
appencryption.WithRevokeCheckInterval(30 * time.Minute))
Session caching is disabled by default. Enabling it is primarily useful if you are working with stateless workloads and the shared session can't be used by the calling app.
To enable session caching, simply use the WithSessionCache option when creating the crypto policy.
cryptoPolicy := appencryption.NewCryptoPolicy(
appencryption.WithExpireAfterDuration(24 * time.Hour),
appencryption.WithRevokeCheckInterval(30 * time.Minute),
appencryption.WithSessionCache(),
appencryption.SessionCacheMaxSize(200),
appencryption.WithSessionCacheDuration(5 * time.Minute),
)
Asherah's Go implementation uses go-metrics for metrics, which are enabled by
default. If metrics are to be disabled, we simply use the WithMetrics functional option while creating the
SessionFactory.
factory := NewSessionFactory(config, metastore, kms, crypto, WithMetrics(false))
The following metrics are available:
A session factory can now be built using the components we defined above.
sessionFactory := appencryption.NewSessionFactory(
&appencryption.Config{
Service: "reference_app",
Product: "productId",
Policy: appencryption.NewCryptoPolicy(),
},
metastore,
kms,
crypto,
)
NOTE: We recommend that every service have its own session factory, preferably as a singleton instance within the service. This will allow you to leverage caching and minimize resource usage. Always remember to close the session factory before exiting the service to ensure that all resources held by the factory, including the cache, are disposed of properly.
Create a session to be used for cryptographic operations.
sess, err := factory.GetSession("shopper123")
if err != nil {
panic(err)
}
// Close frees the memory held by the intermediate keys used in this session
defer sess.Close()
NOTE: Remember to close the session after all cryptographic operations to dispose of associated resources.
This usage style is similar to common encryption utilities where payloads are simply encrypted and decrypted, and it is completely up to the calling application for storage responsibility.
originalPayloadString := "mysupersecretpayload";
// encrypt the payload
dataRowRecord, err := sess.Encrypt(context.Background(), []byte(originalPayloadString))
if err != nil {
panic(err)
}
// decrypt the payload
decryptedPayload, err := sess.Decrypt(context.Background(), *dataRowRecord)
if err != nil {
panic(err)
}
Asherah supports a key-value/document storage model. Use custom Storer and Loader implementations to hook into the
session's Store and Load methods.
An example map-backed implementation:
type storage map[string][]byte
func (s storage) Store(_ context.Context, d appencryption.DataRowRecord) (interface{}, error) {
b, err := json.Marshal(d)
if err != nil {
return nil, err
}
key := uuid.NewString()
s[key] = b
return key, nil
}
func (s storage) Load(_ context.Context, key string) (*appencryption.DataRowRecord, error) {
var d appencryption.DataRowRecord
err := json.Unmarshal(s[key], &d)
return &d, err
}
An example end-to-end use of the session Store and Load calls:
mystore := make(storage)
originalPayloadData := []byte("mysupersecretpayload")
// Encrypts the payload and stores it in the map
key, err := sess.Store(context.Background(), originalPayloadData, mystore)
if err != nil {
panic(err)
}
// Uses the persistenceKey to look-up the payload in the map, then decrypts the payload and returns it
payload, err := sess.Load(context.Background(), key, mystore)
appencryption package: See the godocs for api documentation.
Some unit tests will use the AWS SDK, If you don’t already have a local
AWS credentials file,
create a dummy file called ~/.aws/credentials with the below contents:
[default]
aws_access_key_id = foobar
aws_secret_access_key = barfoo
Alternately, you can set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
FAQs
Package appencryption contains the implementation to securely persist and encrypt data in the public cloud. Your main interaction with the library will most likely be the SessionFactory which should be created on application start up and stored for the lifetime of the app. A session should closed as close as possible to the creation of the session. It should also be short lived to avoid running into the limits on the amount of memory that can be locked. See mlock documentation on how to set/check the current limits. It can also be checked using ulimit.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The June TC39 meeting wrapped up this week with eight proposals moving on to the next stage. Here's a quick roundup of the features that the committee approved to advance.
Security News
Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.
Security News
Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.