diff --git a/content/acra/configuring-maintaining/general-configuration/acra-addzone.md b/content/acra/configuring-maintaining/general-configuration/acra-addzone.md index c3ad7758..ab10efd2 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-addzone.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-addzone.md @@ -61,6 +61,25 @@ weight: 10 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault `acra-addzone` can read `ACRA_MASTER_KEY` from HashiCorp Vault instead of environment variable. diff --git a/content/acra/configuring-maintaining/general-configuration/acra-backup.md b/content/acra/configuring-maintaining/general-configuration/acra-backup.md index 94526050..034617d1 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-backup.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-backup.md @@ -72,6 +72,25 @@ weight: 9 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + #### HashiCorp Vault `acra-backup` can read `ACRA_MASTER_KEY` from HashiCorp Vault instead of environment variable. diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keymaker.md b/content/acra/configuring-maintaining/general-configuration/acra-keymaker.md index a8efaaf8..01163fa1 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keymaker.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keymaker.md @@ -87,6 +87,34 @@ By default, certificate Distinguished Name is used as ClientID. Output file is `configs/markdown_acra-keymaker.md`. Works in a pair with `--dump_config`. + +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_key_policy=` + + KMS usage key policy. + Supported key policies: + * `create` - create a key encryption key on KMS with name **acra_master_key** (***exit with code 1 if the key already exists***). Being used only with `generate_master_key` flag. + + Default is `create` + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault `acra-keymaker` can read `ACRA_MASTER_KEY` from HashiCorp Vault instead of environment variable. diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/destroy.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/destroy.md index 6b915e16..1f3e4980 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/destroy.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/destroy.md @@ -45,6 +45,24 @@ Since 0.91.0 `acra-keys` **`destroy`** doesn't support destroying keys and will Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/export.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/export.md index 08f02a08..1d214d21 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/export.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/export.md @@ -55,6 +55,24 @@ weight: 4 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/generate.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/generate.md index e155066a..fdbe1364 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/generate.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/generate.md @@ -69,6 +69,23 @@ weight: 2 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` ### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/import.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/import.md index 4d1397e0..f39a1117 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/import.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/import.md @@ -56,6 +56,24 @@ weight: 5 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/list.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/list.md index 3a19aff8..2235071c 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/list.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/list.md @@ -41,6 +41,24 @@ weight: 1 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/migrate.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/migrate.md index 2634575a..eb633ab5 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/migrate.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/migrate.md @@ -58,6 +58,24 @@ weight: 6 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-keys/read.md b/content/acra/configuring-maintaining/general-configuration/acra-keys/read.md index 69450f71..4159c7e7 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-keys/read.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-keys/read.md @@ -50,6 +50,23 @@ weight: 3 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` #### HashiCorp Vault diff --git a/content/acra/configuring-maintaining/general-configuration/acra-log-verifier.md b/content/acra/configuring-maintaining/general-configuration/acra-log-verifier.md index 0fba551d..32834c80 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-log-verifier.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-log-verifier.md @@ -107,6 +107,26 @@ It expects symmetric key to decrypt keys from keystore from `ACRA_MASTER_KEY` e Password to Redis database. + +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault * `--vault_connection_api_string=` diff --git a/content/acra/configuring-maintaining/general-configuration/acra-poisonrecordmaker.md b/content/acra/configuring-maintaining/general-configuration/acra-poisonrecordmaker.md index 631add9a..eb9c95a8 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-poisonrecordmaker.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-poisonrecordmaker.md @@ -51,6 +51,25 @@ weight: 11 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault * `--vault_connection_api_string=` diff --git a/content/acra/configuring-maintaining/general-configuration/acra-rollback.md b/content/acra/configuring-maintaining/general-configuration/acra-rollback.md index 2cbb3639..9280a7bd 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-rollback.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-rollback.md @@ -92,6 +92,25 @@ Rollback utility especially applicable in case of any DB rollback - keys re-gene Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault `acra-addzone` can read `ACRA_MASTER_KEY` from HashiCorp Vault instead of environment variable. diff --git a/content/acra/configuring-maintaining/general-configuration/acra-rotate.md b/content/acra/configuring-maintaining/general-configuration/acra-rotate.md index 487c8c88..2cb9d59b 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-rotate.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-rotate.md @@ -98,6 +98,25 @@ weight: 8 Password to Redis database. +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + #### HashiCorp Vault `acra-rotate` can read `ACRA_MASTER_KEY` from HashiCorp Vault instead of environment variable. diff --git a/content/acra/configuring-maintaining/general-configuration/acra-server/_index.md b/content/acra/configuring-maintaining/general-configuration/acra-server/_index.md index 5f8dc38f..3d3db44c 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-server/_index.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-server/_index.md @@ -419,6 +419,24 @@ For additional certificate validation flags, see corresponding pages: [OCSP](/acra/configuring-maintaining/tls/ocsp/) and [CRL](/acra/configuring-maintaining/tls/crl/). +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + ### Hashicorp Vault * `--vault_connection_api_string=` diff --git a/content/acra/configuring-maintaining/general-configuration/acra-translator.md b/content/acra/configuring-maintaining/general-configuration/acra-translator.md index 6020f4d2..29616141 100644 --- a/content/acra/configuring-maintaining/general-configuration/acra-translator.md +++ b/content/acra/configuring-maintaining/general-configuration/acra-translator.md @@ -242,6 +242,26 @@ For additional certificate validation flags, see corresponding pages: [OCSP](/acra/configuring-maintaining/tls/ocsp/) and [CRL](/acra/configuring-maintaining/tls/crl/). + +### KMS + +* `--kms_type=` + + Specify your KMS. + Currently supported KMS types: + * `aws` - AWS Key Management Service + +* `--kms_credentials_path=` + + A path to a file with KMS credentials JSON format. + + Example of KMS config: +* **AWS**: + ```json + {"access_key_id":"","secret_access_key":"","region":""} + ``` + + ### HashiCorp Vault * `--vault_connection_api_string=` diff --git a/content/acra/configuring-maintaining/key-storing/kms-integration.md b/content/acra/configuring-maintaining/key-storing/kms-integration.md index 46e9cac8..a253850b 100644 --- a/content/acra/configuring-maintaining/key-storing/kms-integration.md +++ b/content/acra/configuring-maintaining/key-storing/kms-integration.md @@ -59,8 +59,26 @@ You can find out how to configure access to KMS on `HashiCorp Vault` section on ### AWS KMS -Support of AWS KMS is available only in [Acra Enterprise Edition](/acra/enterprise-edition/) +[AWS KMS](https://aws.amazon.com/kms/) is a managed service that makes it easy for you to create and control the +cryptographic keys that are used to protect your data. Acra use AWS KMS manged keys to decrypt Acra Master Key. +AWS KMS is a popular solution for centralized key management, managing encryption for AWS services, and data encryption +in the client application. That is why Acra is trying to provide the closest possible integration with it. + +The following Acra services and tools can load Acra Master Key from this KMS. + +* [acra-server](/acra/configuring-maintaining/general-configuration/acra-server/#hashicorp-vault), +* [acra-translator](/acra/configuring-maintaining/general-configuration/acra-translator/#hashicorp-vault), +* [acra-keymaker](/acra/configuring-maintaining/general-configuration/acra-keymaker/#hashicorp-vault), +* [acra-rotate](/acra/configuring-maintaining/general-configuration/acra-rotate/#hashicorp-vault), +* [acra-addzone](/acra/configuring-maintaining/general-configuration/acra-addzone/#hashicorp-vault), +* [acra-backup](/acra/configuring-maintaining/general-configuration/acra-backup/#hashicorp-vault), +* [acra-log-verifier](/acra/configuring-maintaining/general-configuration/acra-log-verifier/#hashicorp-vault), +* [acra-poisonrecordmaker](/acra/configuring-maintaining/general-configuration/acra-poisonrecordmaker/#hashicorp-vault), +* [acra-rollback](/acra/configuring-maintaining/general-configuration/acra-rollback/#hashicorp-vault). + +You can find out how to configure access to KMS on `KMS` section on the distinct documentation page of these +services. ### GCP KMS