{"id":48536164,"url":"https://github.com/hashicorp/vault-envelope-encryption-sdk","last_synced_at":"2026-04-08T02:01:08.776Z","repository":{"id":349634051,"uuid":"1093774299","full_name":"hashicorp/vault-envelope-encryption-sdk","owner":"hashicorp","description":null,"archived":false,"fork":false,"pushed_at":"2026-04-06T20:52:28.000Z","size":246,"stargazers_count":0,"open_issues_count":7,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-06T22:23:55.840Z","etag":null,"topics":["doormat-managed"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hashicorp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-10T20:27:28.000Z","updated_at":"2026-04-06T17:22:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hashicorp/vault-envelope-encryption-sdk","commit_stats":null,"previous_names":["hashicorp/vault-envelope-encryption-sdk"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/hashicorp/vault-envelope-encryption-sdk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-envelope-encryption-sdk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-envelope-encryption-sdk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-envelope-encryption-sdk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-envelope-encryption-sdk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hashicorp","download_url":"https://codeload.github.com/hashicorp/vault-envelope-encryption-sdk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fvault-envelope-encryption-sdk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31536473,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"online","status_checked_at":"2026-04-08T02:00:06.127Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["doormat-managed"],"created_at":"2026-04-08T02:01:04.839Z","updated_at":"2026-04-08T02:01:08.767Z","avatar_url":"https://github.com/hashicorp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault Envelope Encryption SDK\n\nThis SDK provides utilities for using Vault Transit keys for large file encryption.\n\nThe use of the SDK requires a Vault Enterprise instance with the Transit secrets\nengine enabled. There must be an AES key available in Transit for data key encryption.\n\nThe tests expect a Vault dev server with root token `root`.\n\n## Usage\n\n### Key Management\n\nThe `KeyProvider` interface manages keys for envelope encryption. The `GetKeyPair`\nfunction will return a `KeyPair` struct containing a plaintext data key and the\ncorresponding encryption of the data key using the Transit key. The `DecryptKeyPair`\nfunction takes in a ciphertext and uses the Transit key to decrypt the data key.\n\nEach `KeyProvider` must be configured with a Vault client that is authenticated to\nVault and has permission to read Transit keys and encrypt and decrypt with Transit\nkeys.\n\n### `TransitKeyProvider`\nThe `TransitKeyProvider` uses the Transit secrets engine to generate and encrypt data\nkeys. The `GetKeyPair` function uses the `datakeys` endpoint to generate a new data key\nand encrypt it using the Transit key in its configuration. Each call to `GetKeyPair`\ngenerates a new data key. The `EDK` field contains the encrypted data key, which can be\ndecrypted using the `DecryptKeyPair` function.\n\n#### Example\n```go\nkp, err := NewTransitKeyProvider(ProviderConfig{\n\tClient:    client, // a Vault client authenticated to Vault\n\tCacheSize: 1,\n\tKeyName:   \"test-key\",\n\tBackend:   \"transit\",\n})\n```\n\n### `ScheduledKeyProvider`\nThe `ScheduledKeyProvider` uses the configured Transit key for both key derivation and\nencryption. The `NewScheduledKeyProvider` function creates all the data keys for\nthe provider at construction time. The `DaysPast`, `DaysFuture`, and `DailyKeyInterval`\nparameters determine how many keys it requests from Transit. Starting from `DaysPast`\ndays in the past and going until `DaysFuture` days in the future, it uses the Transit\n`derivedkeys` endpoint to generate keys for each day. The number of keys for each day\nis `24*time.Hour/DailyKeyInterval` (e.g., a `DailyKeyInterval` of `8*time.Hour` will\ncreate 3 keys per day).\n\nEach call to `GetKeyPair` uses the current time to determine which key to return.\nThis means that two calls to `GetKeyPair` that fall within the same interval will\nreturn the same key.\n\n#### Example\n```go\nkp, err := NewScheduledKeyProvider(ProviderConfig{\n\tClient:           client, // a Vault client authenticated to Vault\n\tCacheSize:        1,\n\tKeyName:          \"test-key\",\n\tBackend:          \"transit\",\n\tDaysPast:         1,\n\tDaysFuture:       1,\n\tDailyKeyInterval: 12*time.Hour,\n})\n```\n\n### Encryption and Decryption\n\nEncryption and decryption operations use the `tink` library for streaming encryption.\n\n`NewEncryptingWriter` uses the provided `KeyProvider` to generate a DEK then uses the\nDEK to create a writer that encrypts data with `AES-GCM`. The ciphertext is prepended\nwith a magic value followed by a header. The header contains the EDK and metadata\ndescribing the Transit key that produced the ciphertext.\n\n`NewDecryptingReader` reads the EDK from the header and uses the provided `KeyProvider`\nto decrypt it. If `headerOut` is provided, it will write the header to the channel.\nIt then returns a reader that decrypts data as it reads.\n\n#### Example\n```go\nf, err := os.Open(ciphertextPath)\n//handle err\n\nw, err := NewEncryptingWriter(kp, f, nil, nil)\n//handle err\n\nw.Write([]byte(\"test plaintext\"))\nw.Close()\n\nr, err := os.Open(ciphertextPath)\n//handle err\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fvault-envelope-encryption-sdk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhashicorp%2Fvault-envelope-encryption-sdk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fvault-envelope-encryption-sdk/lists"}