Add global datastore encryption

This commit is contained in:
Tobie Morgan Hitchcock 2016-07-18 23:00:01 +01:00
parent fd09bebedc
commit e1f1031cc7
9 changed files with 54 additions and 3 deletions

View file

@ -22,6 +22,7 @@ import (
type DS struct { type DS struct {
db *bolt.DB db *bolt.DB
ck []byte
} }
func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) { func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {

View file

@ -42,6 +42,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
return nil return nil
}) })
return &DS{db: db}, err return &DS{db: db, ck: opts.DB.Key}, err
} }

View file

@ -158,6 +158,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -195,6 +200,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -355,6 +365,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
return return
} }
kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
if err != nil {
err = &kvs.CKError{err}
return
}
kv.val, err = snap.Decode(kv.val) kv.val, err = snap.Decode(kv.val)
if err != nil { if err != nil {
err = &kvs.DBError{err} err = &kvs.DBError{err}

View file

@ -22,6 +22,7 @@ import (
type DS struct { type DS struct {
db *sql.DB db *sql.DB
ck []byte
} }
func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) { func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {

View file

@ -36,6 +36,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
db, err = sql.Open("mysql", path) db, err = sql.Open("mysql", path)
return &DS{db: db}, err return &DS{db: db, ck: opts.DB.Key}, err
} }

View file

@ -186,6 +186,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -218,6 +223,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -336,6 +346,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
return return
} }
kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
if err != nil {
err = &kvs.CKError{err}
return
}
kv.val, err = snap.Decode(kv.val) kv.val, err = snap.Decode(kv.val)
if err != nil { if err != nil {
err = &kvs.DBError{err} err = &kvs.DBError{err}

View file

@ -22,6 +22,7 @@ import (
type DS struct { type DS struct {
db *sql.DB db *sql.DB
ck []byte
} }
func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) { func (ds *DS) Txn(writable bool) (txn kvs.TX, err error) {

View file

@ -36,6 +36,6 @@ func New(opts *cnf.Options) (ds kvs.DS, err error) {
db, err = sql.Open("postgres", path) db, err = sql.Open("postgres", path)
return &DS{db: db}, err return &DS{db: db, ck: opts.DB.Key}, err
} }

View file

@ -186,6 +186,11 @@ func (tx *TX) Put(key, val []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -218,6 +223,11 @@ func (tx *TX) CPut(key, val, exp []byte) (err error) {
return return
} }
if val, err = cryp.Encrypt(tx.ds.ck, val); err != nil {
err = &kvs.CKError{err}
return
}
if val, err = cryp.Encrypt(tx.ck, val); err != nil { if val, err = cryp.Encrypt(tx.ck, val); err != nil {
err = &kvs.CKError{err} err = &kvs.CKError{err}
return return
@ -336,6 +346,12 @@ func get(tx *TX, key, val []byte) (kv *KV, err error) {
return return
} }
kv.val, err = cryp.Decrypt(tx.ds.ck, kv.val)
if err != nil {
err = &kvs.CKError{err}
return
}
kv.val, err = snap.Decode(kv.val) kv.val, err = snap.Decode(kv.val)
if err != nil { if err != nil {
err = &kvs.DBError{err} err = &kvs.DBError{err}