Field Level Encryption from the Go SDK
Field Level Encryption is available in Couchbase Data Platform 5.5.
Packaging
The Couchbase Go SDK uses the gocbencryption
library to provide functionality for encryption and decryption.
go get github.com/couchbase/gocbencryption
The Couchbase Go Field Level Encryption (FLE) library uses struct tags to specify which field(s) to apply encryption to and which algorithm to use.
The struct tag key is cbcrypt
and the value is of the form "provider"
.
Here’s an example struct definition:
type PersonAddress struct {
HouseName string `json:"houseName"`
StreetName string `json:"streetName"`
}
type Person struct {
FirstName string `json:"firstName"`
LastName string `json:"lastName"`
Password string `json:"password" cbcrypt:"myAESProvider"`
Address PersonAddress `json:"address" cbcrypt:"myAESProvider"`
}
Configuration
You need to create a Key Store, a Provider, and a Transcoder. The provider is used to perform encyption/decryption and the transcoder is responsible for using the provider during operations. You can register multiple (uniquely aliased) providers with a transcoder. After installing the dependency you need to set up your Key Store, Provider, and Transcoder (note that the alias name of the provider matches the struct tags):
keyStore := &gocbfieldcrypt.InsecureKeystore{
Keys: map[string][]byte{
"mypublickey": []byte("!mysecretkey#9^5usdk39d&dlf)03sL"),
"myhmackey": []byte("myauthpassword"),
},
}
aesProvider := &gocbfieldcrypt.AesCryptoProvider{
Alias: "myAESProvider",
KeyStore: keyStore,
Key: "mypublickey",
HmacKey: "myhmackey",
}
coder := gocbfieldcrypt.Transcoder{}
coder.Register("myAESProvider", aesProvider)
Next you need to create a configuration to connect to your cluster and set your transcoder on the bucket:
cluster, _ := gocb.Connect("…")
cluster.Authenticate(…)
bucket, _ := cluster.openBucket("…", "")
bucket.SetTranscoder(&coder)
Transparent operation
You can then perform KV operations as usual and your data will be encrypted/decrypted automatically:
person := Person{
FirstName: "Barry",
LastName: "Sheen",
Password: "bang!",
Address: PersonAddress{
HouseName: "my house",
StreetName: "my street",
},
}
bucket.Upsert("p1", person, 0)