Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[python] Add support for production signing with Azure Key Vault #1020

Closed
wants to merge 4 commits into from
Closed

[python] Add support for production signing with Azure Key Vault #1020

wants to merge 4 commits into from

Conversation

svenkata9
Copy link
Contributor

@svenkata9 svenkata9 commented Oct 31, 2022
edited
Loading

Signed-off-by: Sankaranarayanan Venkatasubramanian [email protected]

Description of the changes

This change enables production signing with Azure Key Vault's Managed HSM.
gramineproject/gsc#108 has corresponding gsc changes.

Fixes #11 (for AKV)
Fixes #698 (for AKV)

How to test this PR?

  • You need to have Azure Subscription with access to Azure Key Vault's Managed HSM.
  • Create a 3072-bit RSA key in Azure Key Vault's managed HSM with public exponent of 3 (Please note that only Managed HSM supports setting public exponent) and give permissions to yourself or who will use the key created as 'Managed HSM Crypto User' (az keyvault role assignment).
  • gramine-sgx-sign is modified to take a keytype parameter that will use pem for local private key and akv for Azure Key Vault. Please see updated documentation.

This was tested with my Azure Key Vault subscription, and @dimakuv reviewed it as part of our pair review (Thanks, @dimakuv)

This change is Reviewable

@svenkata9 svenkata9 mentioned this pull request Nov 2, 2022
Closed
@dimakuv dimakuv mentioned this pull request Nov 10, 2022
Merged
dimakuv
dimakuv requested changes Nov 10, 2022
View reviewed changes
Copy link
Contributor

@dimakuv dimakuv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 0 of 5 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @svenkata9)

a discussion (no related file):
Gramine community had discussions where to have such cloud-specific and HSM-specific code. It is currently decided to create them in a separate repo (like contrib) not in this core repo.

So I re-created the functionality of this PR as a plugin here: gramineproject/contrib#11. Please check that PR.

@svenkata9 Could you verify that the new PR works correctly? And in general, please review if I recreated it correctly.

a discussion (no related file):
After we agree on where to have such HSM-specific code (see my other comment), we'll need to update & review the corresponding GSC PR: gramineproject/gsc#108

@dimakuv
Copy link
Contributor

dimakuv commented Nov 25, 2022

So I re-created the functionality of this PR as a plugin here: gramineproject/contrib#11. Please check that PR.

That PR was merged, so we can close this PR.

@dimakuv dimakuv closed this Nov 25, 2022
@svenkata9 svenkata9 deleted the svenkat9/akv_sign2 branch December 7, 2022 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimakuv dimakuv dimakuv requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RFC: Separate signing Enable 2-step signing in gramine sign tool
2 participants
@svenkata9 @dimakuv