Tags: laashub-soa/kes
Tags
cmd: align `kes key` command output (minio#218) This commit aligns the output of the `kes key {encrypt,decrypt,dek}` commands. Further, it fixes a bug in the `kes key dek` command. Before, `dek` wrote hex-encoded a plaintext/ciphertext pair to STDOUT (when redirected) - instead of base64. Now, the output is again encoded as base64. Signed-off-by: Andreas Auernhammer <[email protected]>
kestest: add new API tests This commit adds a set of API tests that check that the server API behaves as expected. Signed-off-by: Andreas Auernhammer <[email protected]>
yml: fix regression parsing policy definitions This commit fixes a regression introduced by a229d68. Identities assigned to a policy in the YAML config file have been ignored in the following case: ``` policy: - my-policy: allow: - /v1/key/create/* identity: - ${MY_CLIENT_IDENTITY} ``` Before, the config file parsing expected `identities` - not `identity`. After a229d68 `identities` has been ignored. This commit fixes this by reverting to the previous behavior of only honoring `identities`. Signed-off-by: Andreas Auernhammer <[email protected]>
vault: include K/V prefix when cloning config This commit fixes a bug introduced by a229d68 that ignores the K/V prefix when cloning the Vault config. This commit fixes this bug and adds a test to ensure that a config is cloned as expected. Signed-off-by: Andreas Auernhammer <[email protected]>
update dependencies This commit updates some dependencies to newer/their latest version. Signed-off-by: Andreas Auernhammer <[email protected]>
cache: add offline caching of keys This commit adds offline caching of keys. KES keeps keys - fetched from the KMS key store - in a in-memory cache to increase performance and reduce the request rate to the central KMS. Entries in the cache expiry after a configurable time period and get removed by a cache GC. Usually it is recommended to keep the cache expiry periods quite low - e.g.: - Any: 5m0s - Unused: 20s In particular, low cache expiry values reduce the time window KES can operate without interacting with the central KMS when serving stateless requests; e.g. generating a new data encryption key. Note that KES can never server stateful requests, like creating or deleting a key, without the KMS. Especially in distributed setups, two KES servers will sync eventually once their cache entires have expired. For example, one KES server receives a request to delete a key from the KMS key store. The second KES server will not notice that this key got deleted until its corresponding cache entry has expired. Low cache expiry values reduce the time window when multiple KES servers are not synchronized. However, low cache expiry values require that the KMS is highly available. As soon as a cache entry expires, KES needs to reach out to the KMS to fetch the key again. If the KMS is not available, KES will not be able continue serving stateless requests. It may be desirable to keep keys longer in the cache to reduce the impact of the central KMS being down and continue serving stateless requests - but only when the KMS is actually down. When the KMS is available, KES should expiry keys relatively quickly and only cache them longer when the KMS is not reachable. This commit adds this ability by another cache expiry configuration: ```yaml cache: expiry: any: 5m0s unused: 30s offline: 1h0m0s ``` Now, KES will cache keys for one hour if and only if the KMS is not available. As soon as the KMS is reachable again, KES clears the cache to sync with the central KMS again. If no `offline` expiry is set, KES will not cache keys when the KMS is down. It will simply not use an offline cache. Signed-off-by: Andreas Auernhammer <[email protected]> Co-authored-by: Klaus Post <[email protected]> Signed-off-by: Andreas Auernhammer <[email protected]>
tls: add support for encrypted private keys. (minio#161) This commit adds support for encrypted TLS private keys. Now, a TLS private key password can be specified in the KES config file: ``` tls: key: private.key cert: public.crt password: my-password ``` If the password should not be persisted as part of the KES configuration it can be fetched from the environment using env. variable substitution: ``` tls: key: private.key cert: public.crt password: ${KES_TLS_PRIVATE_KEY_PASSWORD} ``` ``` export KES_TLS_PRIVATE_KEY_PASSWORD=my-password ``` Signed-off-by: Andreas Auernhammer <[email protected]>
vault: adjust key creation/deletion to Vault API (minio#159) This commit fixes an issue in the Vault backend. Hashicorp Vault returns 204 (No Content) when creating / deleting a key successfully. Hence, the Vault SDK returns no error BUT also no secret/entry object - since no content. However, the Vault SDK may also return no error AND no secret/entry object in case of some network errors - e.g. broken network connection. This commit works around this ambiguous behavior by implementing the key creation / deletion using low-level SDK primitives and explicitly checking the HTTP response status code. Signed-off-by: Andreas Auernhammer <[email protected]>
PreviousNext