[−][src]Module roughenough::kms
Protect the server's long-term key with envelope encryption and a key management system.
Note: KMS support must be enabled at compile time, see the Roughenough's documentation on optional features for instructions.
Motivation
The seed for the server's long-term key is subject to contradictory requirements:
- The seed must be kept secret, but
- The seed must be available at server start-up to create the delegated on-line key
Plaintext seed
The default option is to store the seed in plaintext as part of the server's configuration. This usually means the seed is present in the clear: on disk, in a repository, or otherwise durably persisted where it can be compromised (accidentally or maliciously).
Encrypting the seed
Envelope encryption protects the seed by encrypting it with a locally generated 256-bit Data Encryption Key (DEK). The DEK itself is then encrypted using a cloud key management system (KMS). The resulting opaque encrypted "blob" (encrypted seed + encrypted DEK) is stored in the Roughenough configuration.
At server start-up the KMS is used to decrypt the DEK, which is then used to (in memory) decrypt the seed. The seed is used to generate the delegated on-line key after which the seed and DEK are erased from memory.
See
EnvelopeEncryption
for Roughenough's implementation.- Google or Amazon for more in-depth explanations of envelope encryption.
Structs
EnvelopeEncryption | Envelope encryption of the long-term key seed value. |
Enums
KmsError | Errors generated by KMS operations |
Traits
KmsProvider | A key management system that wraps/unwraps a data encryption key (DEK). |
Functions
load_seed | Load the seed value for the long-term key. |
Type Definitions
EncryptedDEK | A Data Encryption Key (DEK) that has been encrypted (wrapped) by a Key Management System (KMS). |
PlaintextDEK | An unencrypted (plaintext) 256-bit Data Encryption Key (DEK). |