Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@noridas80in株式会社フェアーウェイ

golang から Azure KeyVault を使ってデータを暗号/復号する

Posted at

はじめに

以前 golang から Azure KeyValut を使用してデータを暗号化するのに、資料がなくて困ったので簡単にまとめました。

やってみよう

必用なもの

  • Azureアカウント
  • Azure KeyValut用プリンシパル

KeyVault暗号/復号用コード

まずは Azure 認証用のコードです。
NewAuthorizerFromEnvironment() での認証には以下の環境変数が必用です。

環境変数 説明
AZURE_TENANT_ID AzureのテナントID
AZURE_CLIENT_ID AzureのクライアントID
AZURE_CERTIFICATE_PATH 認証用証明書のパス
AZURE_CERTIFICATE_PASSWORD 認証用証明書の復号パスワード
azure.go (azure認証用コード)
package auth

import (
	"log"

	ka "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
	"github.com/Azure/go-autorest/autorest"
)

var (
	AzureAuthorizer autorest.Authorizer
)

func init() {
	var err error
	AzureAuthorizer, err = ka.NewAuthorizerFromEnvironment()
	if err != nil {
		log.Fatal(err)
	}
}

次に暗号/復号処理の実装です。
といっても、Azure が用意したメソッドを実行するだけです。
以下の環境変数が必用です。

環境変数 説明
AZURE_VAULT_BASE_URL Azure KeyVault のベースURL(xxx.vault.azure.net)
AZURE_VAULT_GENERAL_KEY_NAME 鍵名未指定の暗号に使用するデフォルト鍵名
key.go 暗号/復号処理
package vault

import (
	"context"
	"log"
	"os"

	kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
	"./auth"
)

var (
	VaultBaseURL   string
	GeneralKeyName string
)

func init() {
	VaultBaseURL = os.Getenv("AZURE_VAULT_BASE_URL")
	if len(VaultBaseURL) == 0 {
		log.Fatal("Please set environment variable \"AZURE_VAULT_BASE_URL\"")
	}
	GeneralKeyName = os.Getenv("AZURE_VAULT_GENERAL_KEY_NAME")
	if len(GeneralKeyName) == 0 {
		log.Fatal("Please set environment variable \"AZURE_VAULT_GENERAL_KEY_NAME\"")
	}
}

// keyVersion = "" -> use current key version
func Encrypt(keyName string, keyVersion string, plain *string) (kv.KeyOperationResult, error) {
	params := kv.KeyOperationsParameters{
		Algorithm: kv.RSAOAEP256,
		Value:     plain,
	}

	c := kv.New()
	c.Authorizer = auth.AzureAuthorizer
	return c.Encrypt(context.Background(), VaultBaseURL, keyName, keyVersion, params)
}

// keyVersion = "" -> use current key version
func GeneralEncrypt(plain *string) (kv.KeyOperationResult, error) {
	return Encrypt(GeneralKeyName, "", plain)
}

// keyVersion = "" -> use current key version
func Decrypt(keyName string, keyVersion string, encrypted *string) (kv.KeyOperationResult, error) {
	params := kv.KeyOperationsParameters{
		Algorithm: kv.RSAOAEP256,
		Value:     encrypted,
	}

	c := kv.New()
	c.Authorizer = auth.AzureAuthorizer
	return c.Decrypt(context.Background(), VaultBaseURL, keyName, keyVersion, params)
}

// keyVersion = "" -> use current key version
func GeneralDecrypt(keyVersion string, encrypted *string) (kv.KeyOperationResult, error) {
	return Decrypt(GeneralKeyName, keyVersion, encrypted)
}

実行例

main.go
	plain := hex.EncodeToString([]byte("plain text"))
	enc, _ := vault.GeneralEncrypt(&plain)

	encrypted := *enc.Result
	keyName := vault.GeneralKeyName
	keyVersion := path.Base(*enc.Kid)

	dec, _ := vault.Decrypt(keyName, keyVersion, &encrypted)
	str, _ := hex.DecodeString(*dec.Result)
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?