github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/encryption/encryption.go (about) 1 package encryption 2 3 import ( 4 "encoding/base64" 5 "fmt" 6 "strings" 7 8 "github.com/hashicorp/errwrap" 9 "github.com/hashicorp/terraform-plugin-sdk/internal/vault/helper/pgpkeys" 10 ) 11 12 // RetrieveGPGKey returns the PGP key specified as the pgpKey parameter, or queries 13 // the public key from the keybase service if the parameter is a keybase username 14 // prefixed with the phrase "keybase:" 15 // 16 // Deprecated: This function will be removed in v2 without replacement. Please 17 // see https://www.terraform.io/docs/extend/best-practices/sensitive-state.html#don-39-t-encrypt-state 18 // for more information. 19 func RetrieveGPGKey(pgpKey string) (string, error) { 20 const keybasePrefix = "keybase:" 21 22 encryptionKey := pgpKey 23 if strings.HasPrefix(pgpKey, keybasePrefix) { 24 publicKeys, err := pgpkeys.FetchKeybasePubkeys([]string{pgpKey}) 25 if err != nil { 26 return "", errwrap.Wrapf(fmt.Sprintf("Error retrieving Public Key for %s: {{err}}", pgpKey), err) 27 } 28 encryptionKey = publicKeys[pgpKey] 29 } 30 31 return encryptionKey, nil 32 } 33 34 // EncryptValue encrypts the given value with the given encryption key. Description 35 // should be set such that errors return a meaningful user-facing response. 36 // 37 // Deprecated: This function will be removed in v2 without replacement. Please 38 // see https://www.terraform.io/docs/extend/best-practices/sensitive-state.html#don-39-t-encrypt-state 39 // for more information. 40 func EncryptValue(encryptionKey, value, description string) (string, string, error) { 41 fingerprints, encryptedValue, err := 42 pgpkeys.EncryptShares([][]byte{[]byte(value)}, []string{encryptionKey}) 43 if err != nil { 44 return "", "", errwrap.Wrapf(fmt.Sprintf("Error encrypting %s: {{err}}", description), err) 45 } 46 47 return fingerprints[0], base64.StdEncoding.EncodeToString(encryptedValue[0]), nil 48 }