Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Fix incorrect HSM mechanisms in transit BYOK docs into release/1.11.x #16082

Merged
merged 1 commit into from
Jun 21, 2022
Merged

Backport of Fix incorrect HSM mechanisms in transit BYOK docs into release/1.11.x #16082

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions website/content/docs/secrets/transit.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,11 +257,11 @@ as described below. In the below, the target key refers to the key being importe
If the key is being imported from an HSM that supports PKCS#11, there are
two possible scenarios:

- If the HSM supports the CKM_AES_KEY_WRAP_KWP mechanism, that can be used to wrap the
- If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
target key using the wrapping key.

- Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_KWP mechanism.
Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.

Expand Down