Skip to content

wip: HPKE #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
SgtCoDFish wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

wip: HPKE #757

SgtCoDFish wants to merge 1 commit into from

Conversation

@SgtCoDFish
Copy link
Contributor

@SgtCoDFish SgtCoDFish commented Jan 19, 2026
edited
Loading

Summary

This PR introduces cryptographic infrastructure to encrypt secrets transmitted by the disco-agent, implementing support for HPKE (Hybrid Public Key Encryption) as the primary encryption mechanism.

Motivation

The disco-agent needs to encrypt sensitive secrets before transmitting them to the DisCo backend. This PR provides the cryptographic building blocks to enable end-to-end encryption of secrets, ensuring that sensitive data is protected in transit and at rest.

Note: This encryption is specifically for disco-agent and not for venafi-kubernetes-agent although the code here is not used in either agent yet.

What's Added

internal/hpke Package

Implements HPKE encryption/decryption using modern cryptographic standards:

  • Algorithm Suite: X25519 KEM (Key Encapsulation Mechanism), HKDF-SHA256 (Key Derivation Function), and AES-256-GCM (Authenticated Encryption)

    • KEM choice will ultimately depend on what key(s) we get from backend, so X25519 as a "default" is entirely arbitrary here

  • Core Components:

    • Encryptor: Encrypts data using HPKE public keys
    • Decryptor: Decrypts data using HPKE private keys (not strictly needed but helpful for testing)
    • EncryptedData: Contains encapsulated key and ciphertext

  • Features:

    • Standard encryption with Encrypt()
    • Encryption with application-specific context via EncryptWithInfo()
    • Encryption with additional authenticated data via EncryptWithAAD()
    • Corresponding decryption methods with matching parameters
    • Key pair generation helper for testing

  • Testing: Comprehensive test coverage including round-trip encryption/decryption, various data sizes, non-deterministic behavior, error cases, and authentication failure scenarios

Why HPKE?

HPKE is a modern IETF standard (RFC 9180) that combines key encapsulation and authenticated encryption in a single, efficient operation. Benefits over traditional approaches:

  • Integrated design: Combines KEM and AEAD in one protocol
  • Modern cryptography: Uses fast ECC, and can easily be extended for post-quantum support
  • Standardized: IETF RFC with multiple implementations
  • Flexible: Supports additional authenticated data and application-specific context binding

Dependencies

  • Added filippo.io/hpke v0.4.0 - Go implementation of HPKE
    • NB: HPKE is being added to the Go stdlib in go1.26, based on this implementation
    • Ultimately, once Go 1.26 lands we'll upgrade to that and use the stdlib

Next Steps

This PR provides the cryptographic primitives needed for disco-agent secret encryption. Future work will integrate these components into the disco-agent communication flow to encrypt sensitive data in transit.

@SgtCoDFish
wip: hpke
1bcbc93 
Signed-off-by: Ashley Davis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SgtCoDFish