Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/kes: add support for migrating keys to minkms #465

Merged
merged 1 commit into from
Jun 7, 2024
Merged

cmd/kes: add support for migrating keys to minkms #465

merged 1 commit into from
Jun 7, 2024

Conversation

aead
Copy link
Member

@aead aead commented Jun 6, 2024

This commit adds support for migrating keys to minkms via the kes migrate command. Migrating all keys
of a KES backend to a MinKMS server can be done as following:

kes migrate --from src-config.yml --server 127.0.0.1:7373 --enclave minio --api-key k1:...

Currently, this implementation has the following limitations:

  • The HMAC key is not migrated. This requires support from MinKMS. However, HMAC keys are not used for S3 object encryption and have been added to KES recently.
  • Ciphertexts produced by KES cannot be decrypted auto. because they lack the key version prefix (e.g. 'v1:'). Future KES servers may use ciphertexts with key versions and MinKMS may accept a ciphertext without one.

@aead aead requested review from shtripat and allanrogerr June 6, 2024 14:23
@aead aead force-pushed the migrate branch 3 times, most recently from 35afcc4 to 5ff5d1b Compare June 6, 2024 14:29
@aead
cmd/kes: add support for migrating keys to minkms
1496415 
This commit adds support for migrating keys to minkms
via the `kes migrate` command. Migrating all keys
of a KES backend to a MinKMS server can be done as following:
```
kes migrate --from src-config.yml --server 127.0.0.1:7373 --enclave minio --api-key k1:...
```

Currently, this implementation has the following limitations:
 - The HMAC key is not migrated. This requires support from MinKMS.
   However, HMAC keys are not used for S3 object encryption and have
   been added to KES recently.
 - Ciphertexts produced by KES cannot be decrypted auto. because they
   lack the key version prefix (e.g. 'v1:'). Future KES servers may
   use ciphertexts with key versions and MinKMS may accept a ciphertext
   without one.

Signed-off-by: Andreas Auernhammer <[email protected]>
shtripat
shtripat approved these changes Jun 7, 2024
View reviewed changes
Copy link
Contributor

@shtripat shtripat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One question.

internal/cli/exit.go Show resolved Hide resolved
@aead aead merged commit e9f73b9 into master Jun 7, 2024
8 checks passed
@aead aead deleted the migrate branch June 7, 2024 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shtripat shtripat shtripat approved these changes

@allanrogerr allanrogerr Awaiting requested review from allanrogerr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aead @shtripat