Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add secrets providers #471

Merged
merged 5 commits into from
Oct 18, 2021
Merged

add secrets providers #471

merged 5 commits into from
Oct 18, 2021

Conversation

ssoroka
Copy link
Contributor

@ssoroka ssoroka commented Oct 15, 2021

No description provided.

@ssoroka ssoroka changed the title add secerts add secerts providers Oct 15, 2021
@ssoroka ssoroka changed the title add secerts providers add secrets providers Oct 15, 2021
BruceMacD
BruceMacD approved these changes Oct 18, 2021
View reviewed changes
Copy link
Collaborator

@BruceMacD BruceMacD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks solid to me 👍

secrets/secrets.go
// - the client shall remove the plaintext data key from memory as soon as it is no longer needed
// - the client will request the data key be decrypted by the provider if it is needed subsequently.
// In this way the encryption-as-a-service provider scales to unlimited data sizes without needing to transfer the data to the remote service for encryption/decryption.
// To rotate root keys, generate new ones periodically and reencrypt data you touch with the new root. This can either be done all at once or gradually over time. Old root keys are out of circulation when no data exists that points to them.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a mechanism to re-encrypt data with the new root?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be done by the caller simply by rotating the root, decrypting the data and then encrypting it again.

secrets/kms.go Show resolved Hide resolved
@ssoroka ssoroka merged commit 0d67304 into main Oct 18, 2021
@ssoroka ssoroka deleted the secrets branch October 18, 2021 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BruceMacD BruceMacD BruceMacD approved these changes

@jmorganca jmorganca jmorganca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ssoroka @jmorganca @BruceMacD