Merged
Conversation
**Why**: So we can use the cloudtrail output to monitor KMS usage. This commit moves the old KMS client into a new client called `ContextlessKmsClient`. After moving the PII data out of that KMS client it can be deperecated and maintained as legacy code with the UAK password encryptor. The new KMS client requires a context hash to perform encryption. This commit includes the ability to enable writes with KMS contexts by flipping a feature flag. This defaults to off. This means that the change can be deployed to read KMS ciphertexts with or without a context, but only writes without. Once the new change is deployed and the old instances are scaled in, that flag can be flipped so that the next set of instances will write ciphertexts with a context and all instances will be able to read them. Rollplan: 1. Recycle with this change 2. Test that everything works as expected, old ciphertexts can be decrypted 3. Flip the `use_kms_contexts` flag to `true` 4. Recycle to pick up the config change 5. Test that everything works as expected, new and old ciphertexts can be decrypted
jgsmith-usds
approved these changes
Feb 13, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: So we can use the cloudtrail output to monitor KMS usage.
This commit moves the old KMS client into a new client called
ContextlessKmsClient. After moving the PII data out of that KMS clientit can be deperecated and maintained as legacy code with the UAK
password encryptor.
The new KMS client requires a context hash to perform encryption.
This commit includes the ability to enable writes with KMS contexts by
flipping a feature flag. This defaults to off. This means that the
change can be deployed to read KMS ciphertexts with or without a context, but
only writes without. Once the new change is deployed and the old
instances are scaled in, that flag can be flipped so that the next set
of instances will write ciphertexts with a context and all instances
will be able to read them.
Rollplan:
decrypted
use_kms_contextsflag totruebe decrypted