Interface EncryptionStorageManager

All Superinterfaces:
AutoCloseable, SafeCloseable
All Known Implementing Classes:
NoopEncryptionStorageManager
public interface EncryptionStorageManager extends SafeCloseable
Manages the storage of encrypted data at rest.

  • Method Details

    • of

      static EncryptionStorageManager of(CentralDogmaConfig cfg)
      Creates a new EncryptionStorageManager instance.

    • of

      static EncryptionStorageManager of(Path path, boolean encryptSessionCookie, String kekId)
      Creates a new EncryptionStorageManager instance.

    • enabled

      boolean enabled()
      Returns true if the encryption is enabled.

    • encryptSessionCookie

      boolean encryptSessionCookie()
      Returns true if the session cookie should be encrypted.

    • kekId

      String kekId()
      Returns the ID of the key encryption key (KEK).

    • generateWdek

      CompletableFuture<String> generateWdek()
      Generates a new data encryption key (DEK) and wraps it.

    • generateSessionMasterKey

      CompletableFuture<SessionMasterKey> generateSessionMasterKey(int version)
      Generates a new session master key.

    • storeSessionMasterKey

      void storeSessionMasterKey(SessionMasterKey sessionMasterKey)
      Stores the session master key.

    • getCurrentSessionMasterKey

      SessionMasterKey getCurrentSessionMasterKey()
      Returns the current session master key.

    • getCurrentSessionKey

      CompletableFuture<SessionKey> getCurrentSessionKey()
      Returns the current session key that is derived from the current session master key.

    • getSessionKey

      CompletableFuture<SessionKey> getSessionKey(int version)
      Returns the session key for the specified version.

    • rotateSessionMasterKey

      void rotateSessionMasterKey(SessionMasterKey sessionMasterKey)
      Rotates the session master key.

    • wdeks

      List<WrappedDekDetails> wdeks()
      Returns all wrapped data encryption keys (WDEKs).

    • getDek

      SecretKey getDek(String projectName, String repoName, int version)
      Returns the data encryption key (DEK) for the specified project and repository.

    • getCurrentDek

      SecretKeyWithVersion getCurrentDek(String projectName, String repoName)
      Returns the current wrapped data encryption key (WDEK) for the specified project and repository.

    • storeWdek

      void storeWdek(WrappedDekDetails wdekDetails)
      Stores the wrapped data encryption key (WDEK) for the WrappedDekDetails.projectName() and WrappedDekDetails.repoName(). This raises an exception if the WDEK already exists.

    • rotateWdek

      void rotateWdek(WrappedDekDetails wdekDetails)
      Rotates the wrapped data encryption key (WDEK) for the WrappedDekDetails.projectName() and WrappedDekDetails.repoName().

    • removeWdek

      void removeWdek(String projectName, String repoName, int version, boolean removeCurrent)
      Removes the wrapped data encryption key (WDEK) for the specified project and repository.

    • getObject

      byte @Nullable [] getObject(byte[] key, byte[] metadataKey)
      Returns the object associated with the specified key.

    • getObjectId

      byte @Nullable [] getObjectId(byte[] key, byte[] metadataKey)
      Returns the object ID bytes associated with the specified key.

    • getMetadata

      byte @Nullable [] getMetadata(byte[] metadataKey)
      Returns the value of the specified metadata key.

    • putObject

      void putObject(byte[] metadataKey, byte[] metadataValue, byte[] key, byte[] value)
      Stores the specified key-value object with metadata.

    • putObjectId

      void putObjectId(byte[] metadataKey, byte[] metadataValue, byte[] key, byte[] value, byte @Nullable [] previousKeyToRemove)
      Stores the specified key-value pair with metadata. The previousKeyToRemove will be removed.

    • containsMetadata

      boolean containsMetadata(byte[] key)
      Returns true if the specified key exists.

    • deleteObjectId

      void deleteObjectId(byte[] metadataKey, byte[] key)
      Deletes the specified keys.

    • deleteRepositoryData

      void deleteRepositoryData(String projectName, String repoName)
      Deletes all data related to the specified project and repository.

    • reencryptRepositoryData

      void reencryptRepositoryData(String projectName, String repoName)
      Re-encrypts all data for the specified repository with the current DEK version. This is typically called after a DEK rotation to ensure all data is encrypted with the latest key version.

    • getAllData

      @Deprecated Map<String, Map<String,byte[]>> getAllData()
      Deprecated.
      Do not use this method for production code as it may return a large amount of data.
      Returns all data stored in the encryption storage manager.

    • addSessionKeyListener

      void addSessionKeyListener(Consumer<SessionKey> listener)
      Adds a listener that is called when a new session key is stored.

    • addCurrentDekListener

      void addCurrentDekListener(String projectName, String repoName, Consumer<SecretKeyWithVersion> listener)
      Adds a listener that is called when the current DEK for a repository is updated or removed. The listener receives the project/repo key and the new DEK (or null if removed).

    • removeCurrentDekListener

      void removeCurrentDekListener(String projectName, String repoName)
      Removes a previously registered current DEK listener.

    • rewrapAllKeys

      CompletableFuture<Void> rewrapAllKeys(Executor executor)
      Rewraps all wrapped data encryption keys (WDEKs) and session master keys with the EncryptionConfig.kekId() specified in the configuration.
      Parameters:
      executor - the Executor to use for storing re-wrapped keys.