package keyspace_encryptionpb

Get desktop application:
View/edit binary Protocol Buffers messages

Describes a data key that is used to encrypt user data. The data key itself is encrypted by the master key.

Used in: EncryptionMeta

• bytes ciphertext = 1

  The encrypted data key.

Describes one encryption epoch: a versioned period during which a specific data key is used to encrypt user files.

Used in: EncryptionMeta

• uint64 file_id = 1

  The file ID of the encryption meta associated with this epoch.

• uint32 data_key_id = 2

  The data key ID used to encrypt the file.

• uint64 created_at = 3

  The timestamp when this epoch was created (Unix time, seconds).

Top-level metadata that describes the encryption info for a keyspace.

• uint32 keyspace_id = 1

• optional EncryptionEpoch current = 2

  The current encryption epoch, containing the active data key.

• optional MasterKey master_key = 3

  The master key used to encrypt the data keys in this meta file.

• map<uint32, DataKey> data_keys = 4

  All known data keys for the keyspace, indexed by their data_key_id.

• repeated EncryptionEpoch history = 5

  Previous encryption epochs (ordered by creation time), useful for auditing or key recovery.

Describes the encrypted master key and its associated CMEK metadata. With the CMEK info here it's possible to decrypt the master key.

Used in: EncryptionMeta

• string vendor = 1

  The KMS vendor (e.g., "aws-kms").

• string cmek_id = 2

  CMEK identifier.

• string region = 3

  The region of the KMS service, if applicable.

• string endpoint = 4

  The endpoint of the KMS service, if applicable.

• bytes ciphertext = 5

  The encrypted master key.