-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement KMS AWS master key loading #552
Conversation
Draft implementation of KMS MasterKey Loading
Fixed cli flags descriptions
keystore/keyloader/kms/kms_loader.go
Outdated
} | ||
|
||
var encryptor kms.Encryptor | ||
switch keyID.Prefix() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, it push me to think about registries. what about to use here registries approach as we did it for CryptoHandlers? Turn implementation on with build tag and register it at start? for example:
type EncryptorFactoryMethod interface {
New(credentialPath string) (kms.Encryptor, error)
}
// or type EncryptorFactoryMethod func(credentialPath string) (kms.Encryptor, error)
var lock = sync.Lock{}
var encryptors map[string]EncryptorFactoryMethod
RegisterEncryptor(encryptor EncryptorFactoryMethod){
lock.Lock()
encryptors[encryptor.ID()] = encryptor
lock.Unlock()
}
Then we can use :
func NewLoader(credentialPath, keyIdentifierURI string) (*Loader, error) {
keyID, err := kms.NewKeyIdentifierFromURI(keyIdentifierURI)
if err != nil {
return nil, err
}
encryptorFactory, ok := encryptors[keyID]
if !ok {
log.Errorln("Unknown key ID")
}
encryptor, err := encryptorFactory.New(credentialPath) // or encryptorFactory(credentialPath)
}
Then our AWS implementation should have:
func init(){
kms.RegisterEncryptor(someFactoryFunction)
}
With such approach we can extend with enterprise KMS support.
Additionally, we can make default loader that do nothing with master key (current approach where env variable store result master key. this implementation will return master key as is in Encrypt/Decrypt methods) and registered by default and +1 with AWS. Then current loader will be consistent with new approach
And +1 pros for that it be able to cut AWS support and all dependencies via build tags even in CE version. If client doesn't need AWS KMS support, it can compile it with build tag that turns off it. Result binary size and amount of dependencies will be less.
Added integrations tests to cover KMS functionality
Fixed after review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Refactor AWS KMS MasterKey Loader to decrypt with alias
Fixed after review
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Implementation of KMS AWS MasterKey Loading.
Checklist
with new changes