luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
9594 commits 1 branch 0 tags 214 MiB
Commit graph

13 commits

Author SHA1 Message Date
Seth Vargo c3f1043c24 Reduce required permissions for the GCPCKMS auto-unsealer (#5999) 
This changes the behavior of the GCPCKMS auto-unsealer setup to attempt
encryption instead of a key lookup. Key lookups are a different API
method not covered by roles/cloudkms.cryptoKeyEncrypterDecrypter. This
means users must grant an extended scope to their service account
(granting the ability to read key data) which only seems to be used to
validate the existence of the key.

Worse, the only roles that include this permission are overly verbose
(e.g. roles/viewer which gives readonly access to everything in the
project and roles/cloudkms.admin which gives full control over all key
operations). This leaves the user stuck between choosing to create a
custom IAM role (which isn't fun) or grant overly broad permissions.

By changing to an encrypt call, we get better verification of the unseal
permissions and users can reduce scope to a single role.
 2019-01-04 16:29:31 -05:00
Jeff Mitchell c8a029210b
Don't read AWS env vars (#5974) 
* Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us

Fixes #5965
 2019-01-04 15:03:57 -05:00
Calvin Leung Huang be05907515 autoseal: fix error typos (#5877) 2018-11-29 16:07:08 -08:00
Jeff Mitchell 9735bd7d69 Fix more awskms test brokenness 2018-11-13 13:01:40 -05:00
Jeff Mitchell e5aad14d79 Fix test where AWS wasn't being skipped properly 2018-11-13 12:45:30 -05:00
Chris Hoffman 3f5117e87d fix key version tracking (#5757) 2018-11-12 09:52:31 -08:00
Chris Hoffman 3d1320d997
Fixing AliCloud KMS seal encryption/decryption (#5756) 
* fixing seal encryption/decryption

* Address feedback.

Co-Authored-By: chrishoffman <christopher.hoffman@gmail.com>
 2018-11-12 10:57:02 -05:00
Becca Petrin 3b8d543189
AWS auto-unseal acceptance test (#5739) 2018-11-09 14:12:29 -08:00
Calvin Leung Huang 46f37f3363
Add HSMAutoDeprecated for ent upgrade (#5704) 2018-11-06 09:42:03 -08:00
Chris Hoffman 237fa63908
matching config name to storage backend (#5670) 2018-11-02 11:15:07 -04:00
Chris Hoffman 8c88eb3e2a
Add -dev-auto-seal option (#5629) 
* adding a -dev-auto-seal option

* adding logger to TestSeal
 2018-10-29 09:30:24 -04:00
Calvin Leung Huang a08ccbffa7
[Review Only] Autoseal OSS port (#757) 
* Port awskms autoseal

* Rename files

* WIP autoseal

* Fix protobuf conflict

* Expose some structs to properly allow encrypting stored keys

* Update awskms with the latest changes

* Add KeyGuard implementation to abstract encryption/decryption of keys

* Fully decouple seal.Access implementations from sealwrap structs

* Add extra line to proto files, comment update

* Update seal_access_entry.go

* govendor sync

* Add endpoint info to configureAWSKMSSeal

* Update comment

* Refactor structs

* Update make proto

* Remove remove KeyGuard, move encrypt/decrypt to autoSeal

* Add rest of seals, update VerifyRecoveryKeys, add deps

* Fix some merge conflicts via govendor updates

* Rename SealWrapEntry to EncryptedBlobInfo

* Remove barrier type upgrade check in oss

* Add key to EncryptedBlobInfo proto

* Update barrierTypeUpgradeCheck signature
 2018-10-19 14:43:57 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00