CLDSRV-559 AWS KMS backend + account level encryption key #5682
Conversation
nicolas2bert
commented
Sep 26, 2024
nicolas2bert
commented
- Introduce a new KMS backend that supports the AWS KMS protocol.
- Implement a more efficient approach to managing default encryption keys. Instead of creating a master encryption key per bucket, a single default master encryption key is associated with the account. This simplifies key management. The default key id will be stored in the account metadata.
Add configuration mechanism for the new AWS KMS connector. Depends on changes in Arsenal to have support of this new connector.
available Up to now, the datakey was always generated using a locally generated random number. This commit allow to use the "generateDataKey" operation of a KMS when it is implemented. It fallback to random number generation if not available. The benefit of generating the datakey in the KMS is a better entropy source resulting in a "better" datakey.
Hello nicolas2bert,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
|
ping |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
nicolas2bert
force-pushed
the
improvement/CLDSRV-559/kms
branch
from
3f9a7fb to
14ab601
Compare
| .forEach(existing => { | ||
| const hasKey = target.masterKeyId ? 'a' : 'no'; | ||
| const { algo } = target; | ||
| it('should override bucket encryption settings with ' |
There was a problem hiding this comment.
Note to reviewer: Here I have not changed anything in the test, just improved the description a bit.
nicolas2bert
force-pushed
the
improvement/CLDSRV-559/kms
branch
from
14ab601 to
7cda219
Compare
lib/Config.js
Outdated
| ak: process.env.AWS_ACCESS_KEY_ID, | ||
| sk: process.env.AWS_SECRET_ACCESS_KEY |
There was a problem hiding this comment.
| ak: process.env.AWS_ACCESS_KEY_ID, | |
| sk: process.env.AWS_SECRET_ACCESS_KEY | |
| accessKey: process.env.AWS_ACCESS_KEY_ID, | |
| secretKey: process.env.AWS_SECRET_ACCESS_KEY |
lib/kms/wrapper.js
Outdated
| cipherBundle.masterKeyId, | ||
| log, (err, plainTextDataKey, cipheredDataKey) => { | ||
| if (err) { | ||
| log.debug('error from kms', |
There was a problem hiding this comment.
You may want to log this with error level? Your call, and the original code was also logging in debug level. Also maybe add some context like "error generating a new data key from KMS"
lib/kms/wrapper.js
Outdated
| }) | ||
| } else { | ||
| log.debug('creating a new data key'); | ||
| const dataKey = Common.createDataKey(); |
There was a problem hiding this comment.
| const dataKey = Common.createDataKey(); | |
| const plainTextDataKey = Common.createDataKey(); |
lib/kms/wrapper.js
Outdated
| if (client.supportsDefaultKeyPerAccount && config.defaultEncryptionKeyPerAccount) { | ||
| return vault.getOrCreateEncryptionKeyId(bucket.getOwner(), log, (err, data) => { | ||
| if (err) { | ||
| log.debug('error retreiving or creating the default encryption key at the account level from vault', |
There was a problem hiding this comment.
| log.debug('error retreiving or creating the default encryption key at the account level from vault', | |
| log.debug('error retrieving or creating the default encryption key at the account level from vault', |
lib/kms/wrapper.js
Outdated
| } | ||
|
|
||
| const { encryptionKeyId, action } = data; | ||
| log.trace('default encryption key retreived or created at the account level from vault', |
There was a problem hiding this comment.
| log.trace('default encryption key retreived or created at the account level from vault', | |
| log.trace('default encryption key retrieved or created at the account level from vault', |
tests/unit/api/bucketDelete.js
Outdated
| sinon.restore(); | ||
| }); | ||
|
|
||
| it('should delete the bucket-level encryption key is AES256 algorithm', done => { |
There was a problem hiding this comment.
| it('should delete the bucket-level encryption key is AES256 algorithm', done => { | |
| it('should delete the bucket-level encryption key if AES256 algorithm', done => { |
lib/kms/wrapper.js
Outdated
| /* There are 2 ways of generating a datakey : | ||
| - using the generateDataKey of the KMS backend if it exists | ||
| (currently only implemented for the AWS KMS backend). This is | ||
| the prefered solution since a dedicated KMS should offer a better |
There was a problem hiding this comment.
| the prefered solution since a dedicated KMS should offer a better | |
| the preferred solution since a dedicated KMS should offer a better |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
nicolas2bert
force-pushed
the
improvement/CLDSRV-559/kms
branch
from
0e9495d to
7396bf2
Compare
nicolas2bert
force-pushed
the
improvement/CLDSRV-559/kms
branch
from
7396bf2 to
b7169de
Compare
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
|
/create_integration_branches |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.6/improvement/CLDSRV-559/kms origin/development/8.6
$ git merge origin/improvement/CLDSRV-559/kms
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.6/improvement/CLDSRV-559/kmsThe following options are set: create_integration_branches |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.7/improvement/CLDSRV-559/kms origin/development/8.7
$ git merge origin/w/8.6/improvement/CLDSRV-559/kms
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.7/improvement/CLDSRV-559/kmsThe following options are set: create_integration_branches |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.8/improvement/CLDSRV-559/kms origin/development/8.8
$ git merge origin/w/8.7/improvement/CLDSRV-559/kms
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.8/improvement/CLDSRV-559/kmsThe following options are set: create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_integration_branches |
|
@bert-e approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue CLDSRV-559. Goodbye nicolas2bert. The following options are set: approve, create_integration_branches |
