I used to have trouble encrypting data from golang using Azure KeyValut because I didn't have the resources, so I summarized it briefly.
First is the code for Azure authentication. The following environment variables are required for authentication with NewAuthorizerFromEnvironment ().
| Environment variable | Explanation |
|---|---|
| AZURE_TENANT_ID | Azure tenant ID |
| AZURE_CLIENT_ID | Azure client ID |
| AZURE_CERTIFICATE_PATH | Certificate path for authentication |
| AZURE_CERTIFICATE_PASSWORD | Decryption password for authentication certificate |
azure.go (azure authentication code)
package auth
import (
"log"
ka "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
"github.com/Azure/go-autorest/autorest"
)
var (
AzureAuthorizer autorest.Authorizer
)
func init() {
var err error
AzureAuthorizer, err = ka.NewAuthorizerFromEnvironment()
if err != nil {
log.Fatal(err)
}
}
Next is the implementation of encryption / decryption processing. All you have to do is execute the methods provided by Azure. The following environment variables are required.
| Environment variable | Explanation |
|---|---|
| AZURE_VAULT_BASE_URL | Azure KeyVault base URL(xxx.vault.azure.net) |
| AZURE_VAULT_GENERAL_KEY_NAME | Default key name used for unspecified encryption |
key.go Encryption / decryption processing
package vault
import (
"context"
"log"
"os"
kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
"./auth"
)
var (
VaultBaseURL string
GeneralKeyName string
)
func init() {
VaultBaseURL = os.Getenv("AZURE_VAULT_BASE_URL")
if len(VaultBaseURL) == 0 {
log.Fatal("Please set environment variable \"AZURE_VAULT_BASE_URL\"")
}
GeneralKeyName = os.Getenv("AZURE_VAULT_GENERAL_KEY_NAME")
if len(GeneralKeyName) == 0 {
log.Fatal("Please set environment variable \"AZURE_VAULT_GENERAL_KEY_NAME\"")
}
}
// keyVersion = "" -> use current key version
func Encrypt(keyName string, keyVersion string, plain *string) (kv.KeyOperationResult, error) {
params := kv.KeyOperationsParameters{
Algorithm: kv.RSAOAEP256,
Value: plain,
}
c := kv.New()
c.Authorizer = auth.AzureAuthorizer
return c.Encrypt(context.Background(), VaultBaseURL, keyName, keyVersion, params)
}
// keyVersion = "" -> use current key version
func GeneralEncrypt(plain *string) (kv.KeyOperationResult, error) {
return Encrypt(GeneralKeyName, "", plain)
}
// keyVersion = "" -> use current key version
func Decrypt(keyName string, keyVersion string, encrypted *string) (kv.KeyOperationResult, error) {
params := kv.KeyOperationsParameters{
Algorithm: kv.RSAOAEP256,
Value: encrypted,
}
c := kv.New()
c.Authorizer = auth.AzureAuthorizer
return c.Decrypt(context.Background(), VaultBaseURL, keyName, keyVersion, params)
}
// keyVersion = "" -> use current key version
func GeneralDecrypt(keyVersion string, encrypted *string) (kv.KeyOperationResult, error) {
return Decrypt(GeneralKeyName, keyVersion, encrypted)
}
main.go
plain := hex.EncodeToString([]byte("plain text"))
enc, _ := vault.GeneralEncrypt(&plain)
encrypted := *enc.Result
keyName := vault.GeneralKeyName
keyVersion := path.Base(*enc.Kid)
dec, _ := vault.Decrypt(keyName, keyVersion, &encrypted)
str, _ := hex.DecodeString(*dec.Result)
Recommended Posts