func init() { … } type Service … type envelopeTransformer … // NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. // It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to // the data items they encrypt. A cache (of size cacheSize) is maintained to store the most recently // used decrypted DEKs in memory. func NewEnvelopeTransformer(envelopeService Service, cacheSize int, baseTransformerFunc func(cipher.Block) (value.Transformer, error)) value.Transformer { … } // TransformFromStorage decrypts data encrypted by this transformer using envelope encryption. func (t *envelopeTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, bool, error) { … } // TransformToStorage encrypts data to be written to disk using envelope encryption. func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx value.Context) ([]byte, error) { … } var _ … // addTransformer inserts a new transformer to the Envelope cache of DEKs for future reads. func (t *envelopeTransformer) addTransformer(encKey []byte, key []byte) (value.Transformer, error) { … } // getTransformer fetches the transformer corresponding to encKey from cache, if it exists. func (t *envelopeTransformer) getTransformer(encKey []byte) value.Transformer { … } // generateKey generates a random key using system randomness. func generateKey(length int) (key []byte, err error) { … }