You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: proposals/007-azure-kms.md
+25Lines changed: 25 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,6 +84,30 @@ So that we can supply custom trust or use insecure testing modes (mock servers u
84
84
85
85
Another difference is that basic Key Vault cannot generate the DEK bytes for us. Managed HSM does have an operation to generate random bytes for us https://learn.microsoft.com/en-us/rest/api/keyvault/?view=rest-keyvault-keys-7.4#key-operations-managed-hsm-only
86
86
87
+
### Key Identifiers
88
+
89
+
When we wrap/unwrap we have to identify a key by its name and version. You can obtain the latest version by https://learn.microsoft.com/en-us/rest/api/keyvault/keys/get-key/get-key?view=rest-keyvault-keys-7.4&tabs=HTTP.
90
+
91
+
The API usually returns it as a `kid`https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-identifiers. Like
92
+
93
+
> For Vaults: https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}
The Azure SDK then takes advantage of the fact this happens to be the base URL for various operations like wrap/unwrap.
98
+
99
+
ed. for [wrap key](https://learn.microsoft.com/en-us/rest/api/keyvault/keys/wrap-key/wrap-key?view=rest-keyvault-keys-7.4&tabs=HTTP) the url is `POST {vaultBaseUrl}/keys/{key-name}/{key-version}/wrapkey?api-version=7.4
100
+
`
101
+
102
+
To minimise EDEK bytes there are a couple of opportunities when encoding the EDEK:
103
+
1. we can exclude the vaultBaseUrl and have the limitation that we work only with a single key vault
104
+
2. we can encode just the keyName and keyVersion, and use that to decrypt
105
+
3. all documented examples of the keyVersion (and from my experimentation too) are 128bits encoded as a hexadecimal string.
106
+
107
+
So for the EDEK I think we could optimistically try to encode it as `versionByte,keyNameLength,keyName,keyVersionLength,128-bit-decoded,edek`
108
+
and fall back to using the string like `versionByte,keyNameLength,keyName,keyVersionLength,keyVersionString,edek`. So
109
+
we would have either a 16-byte version implying it's the bytes, or a 32 character string.
110
+
87
111
## Proposed Initial Implementation
88
112
89
113
1. Support all flavours of Key Vault. The APIs will be the same, just with a different vault base URI.
@@ -93,6 +117,7 @@ Another difference is that basic Key Vault cannot generate the DEK bytes for us.
93
117
5. Support TLS customization of the authentication client and key vault client.
94
118
6. DEK bytes will be generated proxy-side with a SecureRandom.
95
119
7. The Azure SDK pulls in netty/jackson/project-reactor, lets try implementing the APIs ourselves as we have for AWS
120
+
8. Edek stores the keyName, keyVersion, edek. We attempt to minimise keyVersion size by optimistically decoding it from hex string, else store the string.
0 commit comments