Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key derivation to replace individual keys in encryptor #2290

Closed
10 tasks done
gak opened this issue Aug 7, 2024 · 0 comments · Fixed by #2338
Closed
10 tasks done

Key derivation to replace individual keys in encryptor #2290

gak opened this issue Aug 7, 2024 · 0 comments · Fixed by #2338
Assignees

Comments

@gak
Copy link
Contributor

gak commented Aug 7, 2024

  • Follow up from feat: Encrypt sensitive internal table columns #2248
  • Work out if the migration should be online or offline ✅ .
  • Work out if all the key deriving works with tink. ✅
    • deriver, err := keyderivation.New(handle), derivedHandle, err := deriver.DeriveKeyset([]byte("salt"))
  • KMS + streaming (not streaming)
  • One DEK that derives keyTwo DEKs for async and logs, later artefact integrity which will be asymmetric
  • Config/env for kms kek url
  • Still allow clear text keys for testing (via fake-aws://)
  • Migration
    • Table for encrypted key with only 1 row containing encrypted dek and encrypted dk. Later will have more rows for key rotation.
    • Move columns to bytea instead of jsonb
@github-actions github-actions bot added the triage Issue needs triaging label Aug 7, 2024
@ftl-robot ftl-robot mentioned this issue Aug 7, 2024
@github-actions github-actions bot removed the triage Issue needs triaging label Aug 7, 2024
github-merge-queue bot pushed a commit that referenced this issue Aug 11, 2024
Related #2290 

Doesn't change any functionality in the system yet. It is just a
refactor and new encryption types, with tests.

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit that referenced this issue Aug 14, 2024
Fixes #2290 
Follows #2312 
Needs work: #2346 #2348 

> [!CAUTION]
> Will nuke logs and async columns!

- Uses KMS via tink `FTL_KMS_URI`, so `fake-kms://` or `aws-kms://` will
work. Omitting will not encrypt.
- Remove old plaintext keys envs.

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matt Toohey <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant