c9d678a91a
Update the on-disk format for the root key so that it's wrapped with a unique per-key/per-server key encryption key. This is a bit of security theatre for the current implementation, but it uses `go-kms-wrapping` as the interface for wrapping the key. This provides a shim for future support of external KMS such as cloud provider APIs or Vault transit encryption. * Removes the JSON serialization extension we had on the `RootKey` struct; this struct is now only used for key replication and not for disk serialization, so we don't need this helper. * Creates a helper for generating cryptographically random slices of bytes that properly accounts for short reads from the source. * No observable functional changes outside of the on-disk format, so there are no test updates. |
||
|---|---|---|
| .. | ||
| args | ||
| boltdd | ||
| broker | ||
| bufconndialer | ||
| codec | ||
| constraints/semver | ||
| crypto | ||
| discover | ||
| envoy | ||
| escapingfs | ||
| escapingio | ||
| fields | ||
| flags | ||
| flatmap | ||
| freeport | ||
| gated-writer | ||
| grpc-middleware/logging | ||
| ipaddr | ||
| logging | ||
| mount | ||
| noxssrw | ||
| pluginutils | ||
| pointer | ||
| pool | ||
| raftutil | ||
| snapshot | ||
| stats | ||
| testlog | ||
| testtask | ||
| tlsutil | ||
| useragent | ||
| uuid | ||
| winsvc | ||
| cluster.go | ||
| eof.go | ||
| funcs.go | ||
| funcs_test.go | ||