Fact.Encryption.KEKProvider behaviour (Fact v0.4.1)

Behaviour for providing Key Encryption Keys (KEKs) at runtime.

A KEK provider is responsible for supplying the key used to unwrap the Data Encryption Key (DEK) when a database is opened. The DEK is stored in the .bootstrap file in wrapped (encrypted) form and must be unwrapped before the database can read or write encrypted record files.

Implementations

Fact.Encryption.KEKProvider.Explicit — takes the KEK directly from options.

Summary

Types

opts()

Options passed to fetch_kek/1. The shape depends on the provider implementation.

t()

A module implementing the Fact.Encryption.KEKProvider behaviour.

Callbacks

fetch_kek(opts)

Fetches the Key Encryption Key.

Types

opts()

(since 0.4.0)

@type opts() :: keyword()

Options passed to fetch_kek/1. The shape depends on the provider implementation.

t()

(since 0.4.0)

@type t() :: module()

A module implementing the Fact.Encryption.KEKProvider behaviour.

Callbacks

fetch_kek(opts)

(since 0.4.0)

@callback fetch_kek(opts()) :: {:ok, binary()} | {:error, term()}

Fetches the Key Encryption Key.

Returns {:ok, kek} where kek is a binary encryption key, or {:error, reason} if the key cannot be retrieved.