...
Aries Agents should be able to plugin a Crypto module and a KMS module and use their services regardless of their detailed implementation. This will help integrate crypto operations as well as manipulating and querying keys in an agent with minimal change.
Tink, a library created to make crypto easy for non cryptographers, is a strong candidate that offers pluggability of crypto operations and supports integration with multiple KMS solutions like AWS KMS, GCP (Google Cloud KMS) and Android Keystore KMS. It supports multi languages including Go. Tink serves to wrap the crypto functions in a KMS, so the client cannot see secrets, and so the client works with a simpler API that makes it harder to break your crypto.
The plan is to have 2 interfaces in two sub-directories under pkg/plugins, one for Crypto and the other for KMS. These interfaces will serve as wrapper to Tink operations like Encrypt(), Decrypt(), Sign(), Verify(), etc. It also supports key wrapping using ECDH, but it does not match ECDH-1PU.