1// Copyright 2019 Google Inc. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package hcvault_test 18 19import ( 20 "crypto/tls" 21 "log" 22 23 "github.com/google/tink/go/aead" 24 "github.com/google/tink/go/integration/hcvault" 25) 26 27func Example() { 28 const keyURI = "hcvault://hcvault.corp.com:8200/transit/keys/key-1" 29 30 vaultClient, err := hcvault.NewClient(keyURI, tlsConfig(), vaultToken()) 31 if err != nil { 32 log.Fatal(err) 33 } 34 kekAEAD, err := vaultClient.GetAEAD(keyURI) 35 if err != nil { 36 log.Fatal(err) 37 } 38 dekTemplate := aead.AES128CTRHMACSHA256KeyTemplate() 39 a := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) 40 if err != nil { 41 log.Fatal(err) 42 } 43 if err != nil { 44 log.Fatal(err) 45 } 46 47 plaintext := []byte("plaintext") 48 associatedData := []byte("associatedData") 49 50 ciphertext, err := a.Encrypt(plaintext, associatedData) 51 if err != nil { 52 log.Fatal(err) 53 } 54 55 _, err = a.Decrypt(ciphertext, associatedData) 56 if err != nil { 57 log.Fatal(err) 58 } 59} 60 61func tlsConfig() *tls.Config { 62 // Return a TLS configuration used to communicate with Vault server via HTTPS. 63 return nil 64} 65 66func vaultToken() string { 67 return "" // Your Vault token. 68} 69