in client/client.go [517:581]
func (c *StetClient) Encrypt(ctx context.Context, input io.Reader, output io.Writer, stetConfig *configpb.StetConfig, blobID string) (*StetMetadata, error) {
config := stetConfig.GetEncryptConfig()
if config == nil {
return nil, fmt.Errorf("nil EncryptConfig passed to Encrypt()")
}
keyCfg := config.GetKeyConfig()
dataEncryptionKey := shares.NewDEK()
shares, err := shares.CreateDEKShares(dataEncryptionKey, keyCfg)
if err != nil {
return nil, fmt.Errorf("error creating DEK shares: %v", err)
}
// Set blob ID if specified, otherwise generate UUID.
if blobID == "" {
blobID = uuid.NewString()
}
// Create metadata.
metadata := &configpb.Metadata{BlobId: blobID, KeyConfig: keyCfg}
var keyURIs []string
opts := sharesOpts{
kekInfos: keyCfg.GetKekInfos(),
asymmetricKeys: stetConfig.GetAsymmetricKeys(),
confSpaceConfig: c.newConfSpaceConfig(stetConfig),
}
metadata.Shares, keyURIs, err = c.wrapShares(ctx, shares, opts)
if err != nil {
return nil, fmt.Errorf("error wrapping shares: %v", err)
}
// Create AAD from metadata.
aad, err := MetadataToAAD(metadata)
if err != nil {
return nil, fmt.Errorf("error serializing metadata: %v", err)
}
// Marshal the metadata into serialized bytes.
metadataBytes, err := proto.Marshal(metadata)
if err != nil {
return nil, fmt.Errorf("failed to serialize metadata: %v", err)
}
// Write the header and metadata to `output`.
if err := WriteSTETHeader(output, len(metadataBytes)); err != nil {
return nil, fmt.Errorf("failed to write encrypted file header: %v", err)
}
if _, err := output.Write(metadataBytes); err != nil {
return nil, fmt.Errorf("failed to write metadata: %v", err)
}
// Pass `output` to the AEAD encryption function to write the ciphertext.
if err := AeadEncrypt(dataEncryptionKey, input, output, aad); err != nil {
return nil, fmt.Errorf("error encrypting data: %v", err)
}
return &StetMetadata{
KeyUris: keyURIs,
BlobID: metadata.GetBlobId(),
}, nil
}