Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AWS KMS asymmetric keypair backend #33

Merged
merged 1 commit into from
Aug 15, 2021
Merged

Add support for AWS KMS asymmetric keypair backend #33

merged 1 commit into from
Aug 15, 2021

Conversation

syndbg
Copy link
Member

@syndbg syndbg commented Aug 15, 2021

No description provided.

weitzj
weitzj reviewed Aug 15, 2021
View reviewed changes
Copy link

@weitzj weitzj left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a suggestion:
Maybe you want to look at Google/tink to incorporate various KMS services.

You would also benefit from AEAD to prefect against chosen cipher text attacks. And using tink you get key rotation .

@syndbg
Copy link
Member Author

syndbg commented Aug 15, 2021
edited
Loading

@weitzj Definitely looks like a step in the right direction.

I was mostly intrigued by the key parsing format and underlying parsers support.

   keyURI = "gcp-kms://projects/tink-examples/locations/global/keyRings/foo/cryptoKeys/bar"

I'll probably invest a bit of time in evaluating google/tink.

Currently, the plan is to get this PR merged to release a mvp AWS KMS enc/dec support for 0.3.0*

@syndbg syndbg force-pushed the add-kms-support branch 3 times, most recently from 45f4420 to e980e6d Compare August 15, 2021 23:37
@syndbg syndbg merged commit eff300b into master Aug 15, 2021
@syndbg syndbg deleted the add-kms-support branch August 15, 2021 23:50
@weitzj
Copy link

weitzj commented Aug 17, 2021
edited
Loading

I have an internal tool using google tink with AWS kms and envelope encryption (kms uses a symmetric key which does the envelope wrapping for an tink HybridKeyset (asymmetric)

Key rotation is done on tink keysets.
Using the tink context I can mix encrypted and decrypted data while having the data signed by tink (verify integrity of metadata)
e.g. you could have a “namespace” as a public value of your secret and you can make sure only CODEOWNERS for said namespace are allowed to create their secrets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weitzj weitzj weitzj left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@syndbg @weitzj