open-vault

luxolus/open-vault

Fork 0

Commit graph

Author	SHA1	Message	Date
Seth Vargo	c3f1043c24	Reduce required permissions for the GCPCKMS auto-unsealer (#5999 ) This changes the behavior of the GCPCKMS auto-unsealer setup to attempt encryption instead of a key lookup. Key lookups are a different API method not covered by roles/cloudkms.cryptoKeyEncrypterDecrypter. This means users must grant an extended scope to their service account (granting the ability to read key data) which only seems to be used to validate the existence of the key. Worse, the only roles that include this permission are overly verbose (e.g. roles/viewer which gives readonly access to everything in the project and roles/cloudkms.admin which gives full control over all key operations). This leaves the user stuck between choosing to create a custom IAM role (which isn't fun) or grant overly broad permissions. By changing to an encrypt call, we get better verification of the unseal permissions and users can reduce scope to a single role.	2019-01-04 16:29:31 -05:00
Calvin Leung Huang	a08ccbffa7	[Review Only] Autoseal OSS port (#757 ) * Port awskms autoseal * Rename files * WIP autoseal * Fix protobuf conflict * Expose some structs to properly allow encrypting stored keys * Update awskms with the latest changes * Add KeyGuard implementation to abstract encryption/decryption of keys * Fully decouple seal.Access implementations from sealwrap structs * Add extra line to proto files, comment update * Update seal_access_entry.go * govendor sync * Add endpoint info to configureAWSKMSSeal * Update comment * Refactor structs * Update make proto * Remove remove KeyGuard, move encrypt/decrypt to autoSeal * Add rest of seals, update VerifyRecoveryKeys, add deps * Fix some merge conflicts via govendor updates * Rename SealWrapEntry to EncryptedBlobInfo * Remove barrier type upgrade check in oss * Add key to EncryptedBlobInfo proto * Update barrierTypeUpgradeCheck signature	2018-10-19 14:43:57 -07:00

Author

SHA1

Message

Date

Seth Vargo

c3f1043c24

Reduce required permissions for the GCPCKMS auto-unsealer (#5999 )

This changes the behavior of the GCPCKMS auto-unsealer setup to attempt
encryption instead of a key lookup. Key lookups are a different API
method not covered by roles/cloudkms.cryptoKeyEncrypterDecrypter. This
means users must grant an extended scope to their service account
(granting the ability to read key data) which only seems to be used to
validate the existence of the key.

Worse, the only roles that include this permission are overly verbose
(e.g. roles/viewer which gives readonly access to everything in the
project and roles/cloudkms.admin which gives full control over all key
operations). This leaves the user stuck between choosing to create a
custom IAM role (which isn't fun) or grant overly broad permissions.

By changing to an encrypt call, we get better verification of the unseal
permissions and users can reduce scope to a single role.

2019-01-04 16:29:31 -05:00

Calvin Leung Huang

a08ccbffa7

[Review Only] Autoseal OSS port (#757 )

* Port awskms autoseal

* Rename files

* WIP autoseal

* Fix protobuf conflict

* Expose some structs to properly allow encrypting stored keys

* Update awskms with the latest changes

* Add KeyGuard implementation to abstract encryption/decryption of keys

* Fully decouple seal.Access implementations from sealwrap structs

* Add extra line to proto files, comment update

* Update seal_access_entry.go

* govendor sync

* Add endpoint info to configureAWSKMSSeal

* Update comment

* Refactor structs

* Update make proto

* Remove remove KeyGuard, move encrypt/decrypt to autoSeal

* Add rest of seals, update VerifyRecoveryKeys, add deps

* Fix some merge conflicts via govendor updates

* Rename SealWrapEntry to EncryptedBlobInfo

* Remove barrier type upgrade check in oss

* Add key to EncryptedBlobInfo proto

* Update barrierTypeUpgradeCheck signature

2018-10-19 14:43:57 -07:00

2 commits