Module roughenough::kms
source · [−]Expand description
Protect the server’s long-term key with envelope encryption and a key management system.
Note: KMS support must be enabled at compile time, see the Roughenough’s documentation on optional features for instructions.
Motivation
The seed for the server’s long-term key is subject to contradictory requirements:
- The seed must be kept secret, but
- The seed must be available at server start-up to create the delegated on-line key
Plaintext seed
The default option is to store the seed in plaintext as part of the server’s configuration. This usually means the seed is present in the clear: on disk, in a repository, or otherwise durably persisted where it can be compromised (accidentally or maliciously).
Encrypting the seed
Envelope encryption protects the seed by encrypting it with a locally generated 256-bit Data Encryption Key (DEK). The DEK itself is then encrypted using a cloud key management system (KMS). The resulting opaque encrypted “blob” (encrypted seed + encrypted DEK) is stored in the Roughenough configuration.
At server start-up the KMS is used to decrypt the DEK, which is then used to (in memory) decrypt the seed. The seed is used to generate the delegated on-line key after which the seed and DEK are erased from memory.
See
EnvelopeEncryption
for Roughenough’s implementation.- Google or Amazon for more in-depth explanations of envelope encryption.
Structs
Envelope encryption of the long-term key seed value.
Enums
Errors generated by KMS operations
Traits
A key management system that wraps/unwraps a data encryption key (DEK).
Functions
Load the seed value for the long-term key.
Type Definitions
A Data Encryption Key (DEK) that has been encrypted (wrapped) by a Key Management System (KMS).
An unencrypted (plaintext) 256-bit Data Encryption Key (DEK).