go-sqlcrypter is a Go package that enables sensitive data to be encrypted at rest within a relational database. A custom type EncryptedBytes is provided which implements the sql.Scanner and driver.Valuer interfaces allowing data to be encrypted and decrypted when writing to and reading from a SQL database. Column-level encryption provides an additional layer of security.
The following encryption providers are supported:
Refer to each provider for documentation and examples.
go get -u github.com/bincyber/go-sqlcrypter
Configure the encryption provider of your choice:
key := []byte("abcdef01234567899876543210fedcba")
provider, err := aescrypter.New(key, nil)
if err != nil {
log.Fatalf("failed to initialize AES crypter. Error: %s", err)
}Initialize the sqlcrypter with the encryption provider:
sqlcrypter.Init(provider)Use the custom type EncryptedBytes for any sensitive data:
type Employee struct {
Name string
SSN sqlcrypter.EncryptedBytes
Email string
Title string
}
func main() {
e := &Employee{
Name: "Tony Stark",
SSN: sqlcrypter.NewEncryptedBytes("999-00-1234"),
Email: "tony@starkindustries.com",
Title: "Genius, Billionaire, Playboy, Philanthropist",
}
}For a full example, see example/main.go.
docker-compose is used to help with local development and testing. See testing/docker-compose.yml
To bring up the development environment:
make dev/up
make terraform/apply
To run the test suite:
make go/test
Contributions of new encryption providers (eg, Azure Key Vault, GCP KMS, etc.) are more than welcome!
The source code for this library is licensed under the MIT license, which you can find in the LICENSE file.