Fact.KeyRing (Fact v0.4.0)

View Source

Holds the Data Encryption Key (DEK) in memory for a database instance.

The Fact.KeyRing is started as part of the Fact.DatabaseSupervisor when the database is configured with encryption. At startup, it unwraps the DEK using the configured Fact.Encryption.KEKProvider and holds it in memory for the lifetime of the database.

The encrypted Fact.Seam.FileWriter.Encrypted.V1 and Fact.Seam.FileReader.Encrypted.V1 retrieve the DEK via get_dek/1.

Summary

Types

option()

Functions

generate_dek()

Generates a random 256-bit DEK.

get_dek(database_id)

Retrieves the DEK for the given database.

unwrap_dek(arg1, kek)

Unwraps a DEK using a KEK.

wrap_dek(dek, kek)

Wraps a DEK with a KEK using AES-256-GCM.

Types

option()

(since 0.4.0) 
@type option() ::
  {:database_id, Fact.database_id()}
  | {:wrapped_dek, binary()}
  | {:kek, binary()}
  | {:name, GenServer.name()}

Functions

generate_dek()

(since 0.4.0) 
@spec generate_dek() :: binary()

Generates a random 256-bit DEK.

get_dek(database_id)

(since 0.4.0) 
@spec get_dek(Fact.database_id()) :: {:ok, binary()} | {:error, term()}

Retrieves the DEK for the given database.

unwrap_dek(arg1, kek)

(since 0.4.0) 
@spec unwrap_dek(wrapped_dek :: binary(), kek :: binary()) ::
  {:ok, binary()} | {:error, term()}

Unwraps a DEK using a KEK.

Expects the wrapped DEK format: <<nonce::12-bytes, auth_tag::16-bytes, ciphertext::binary>>.

wrap_dek(dek, kek)

(since 0.4.0) 
@spec wrap_dek(dek :: binary(), kek :: binary()) :: binary()

Wraps a DEK with a KEK using AES-256-GCM.

Returns the wrapped DEK as <<nonce::12-bytes, auth_tag::16-bytes, ciphertext::binary>>.