func encryptionKeyInit()

in cmd/hub/crypto/crypto.go [73:125]


func encryptionKeyInit(ver byte, blob []byte) (byte, []byte, []byte, error) {
	if ver == encryptionV1MarkerByte1 && config.CryptoPassword == "" {
		return 0, nil, nil,
			fmt.Errorf("Set %s", helpPassword)
	}
	if ver == encryptionV2MarkerByte1 && config.CryptoAwsKmsKeyArn == "" {
		return 0, nil, nil,
			fmt.Errorf("Set %s", helpAwsKms)
	}
	if ver == encryptionV3MarkerByte1 && config.CryptoAzureKeyVaultKeyId == "" {
		return 0, nil, nil,
			fmt.Errorf("Set %s", helpAzukeKeyvault)
	}
	if ver == encryptionV4MarkerByte1 && config.CryptoGcpKmsKeyName == "" {
		return 0, nil, nil,
			fmt.Errorf("Set %s", helpGcpKms)
	}
	if config.CryptoPassword != "" && (ver == 0 || ver == encryptionV1MarkerByte1) {
		salt := blob
		if len(salt) == 0 {
			salt = make([]byte, encryptionV1SaltLen)
			_, err := rand.Read(salt)
			if err != nil {
				return 0, nil, nil, err
			}
		}
		key := pbkdf2.Key([]byte(config.CryptoPassword), salt, 4096, aes256KeySize, sha1.New)
		return encryptionV1MarkerByte1, salt, key, nil
	}
	if config.CryptoAwsKmsKeyArn != "" && (ver == 0 || ver == encryptionV2MarkerByte1) {
		clearKey, encryptedKey, err := aws.KmsKey(config.CryptoAwsKmsKeyArn, blob)
		if err != nil {
			return 0, nil, nil, err
		}
		return encryptionV2MarkerByte1, encryptedKey, clearKey, nil
	}
	if config.CryptoAzureKeyVaultKeyId != "" && (ver == 0 || ver == encryptionV3MarkerByte1) {
		clearKey, encryptedKey, err := azure.KeyvaultKey(config.CryptoAzureKeyVaultKeyId, blob)
		if err != nil {
			return 0, nil, nil, err
		}
		return encryptionV3MarkerByte1, encryptedKey, clearKey, nil
	}
	if config.CryptoGcpKmsKeyName != "" && (ver == 0 || ver == encryptionV4MarkerByte1) {
		clearKey, encryptedKey, err := gcp.KmsKey(config.CryptoGcpKmsKeyName, blob)
		if err != nil {
			return 0, nil, nil, err
		}
		return encryptionV4MarkerByte1, encryptedKey, clearKey, nil
	}
	return 0, nil, nil,
		fmt.Errorf("Set %s or %s or %s", helpPassword, helpAwsKms, helpAzukeKeyvault)
}