Adding decryption support to keystore backends#54428
Merged
Conversation
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
8 times, most recently
from
f6e998a to
c42490e
Compare
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
64fe22b to
b84468a
Compare
eriktate
added
the
no-changelog
nklaassen
reviewed
May 8, 2025
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
b84468a to
3b7b4bb
Compare
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
3b7b4bb to
e4ef25d
Compare
nklaassen
reviewed
May 14, 2025
Contributor
nklaassen
left a comment
nklaassen
left a comment
There was a problem hiding this comment.
it's looking pretty good to me there's just a few lingering comments
| } | ||
|
|
||
| // GetDecrypter returns the [crypto.Decrypter] associated with a given EncryptionKeyPair if accessible. | ||
| func (m *Manager) GetDecrypter(ctx context.Context, keyPair *types.EncryptionKeyPair) (crypto.Decrypter, error) { |
Contributor
There was a problem hiding this comment.
in reality if you have multiple auths with PKCS#11 HSMs, you're going to have multiple possible EncryptionKeyPairs, and I don't think you're going to know which one to pass here. This is why the signer equivalents like GetJWTSigner pass the whole CA and then the keystore.Manager selects the key it can actually use with the available keystore backends. but maybe it will be better to just refactor this in a later PR
Contributor
Author
There was a problem hiding this comment.
I account for this in a later PR by calling GetDecrypter for each EncryptionKeyPair. I could modify this to accept a slice or an iterator of EncryptionkeyPairs, but it actually ends up being useful to know the result for each key during a rotation as a check for which keys are accessible to a given keystore.Manager. In particular when a key is being rotated the Manager can resolve both the rotated pair and the new pair, but the caller needs to make decisions based on the state of both of them (e.g. if the new pair is still unfulfilled, the key marked as rotating is still the active key. If it's fulfilled then the rotating key needs to be marked as rotated).
Contributor
Author
|
@nklaassen @vapopov friendly bump! |
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
c3b364d to
6a5041a
Compare
nklaassen
approved these changes
May 21, 2025
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
6a5041a to
d4161b8
Compare
rosstimothy
approved these changes
May 27, 2025
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
d4161b8 to
027543d
Compare
public-teleport-github-review-bot
Bot
removed the request for review
from vapopov
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
027543d to
cd91ba6
Compare
gcp, pkcs11, and software backends
eriktate
force-pushed
the
eriktate/keystore-decryption
branch
from
cd91ba6 to
12ade31
Compare
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
eriktate
added a commit
that referenced
this pull request
Jun 30, 2025
…#54428) gcp, pkcs11, and software backends
eriktate
added a commit
that referenced
this pull request
Jul 1, 2025
…#54428) gcp, pkcs11, and software backends
eriktate
added a commit
that referenced
this pull request
Jul 1, 2025
…#54428) gcp, pkcs11, and software backends
eriktate
added a commit
that referenced
this pull request
Jul 1, 2025
…#54428) gcp, pkcs11, and software backends
eriktate
added a commit
that referenced
this pull request
Aug 15, 2025
eriktate
added a commit
that referenced
this pull request
Aug 27, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 3, 2025
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Sep 3, 2025
* adding support for encryption/decryption keys to keystore manager (#54428, #55652) * adds new protos for resources related to encrypted session recordings and updates the existing SessionRecordingConfig protos to include a Status (#54780) * adding local service implementation for recording encryption resources (#54816) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD (#55078) * Adding session recording plugin for `age` (#55120) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD * adding age plugin wrapping default X25519 Identity/Recipient implementation with hooks to more efficiently lookup private keys given their respective public key * Adding recording encryption and playback for `sync` modes (#54901) * adding cache for RecordingEncryption (#55857) * adding recording_encryption service protos (#55121) * adding async recording encryption with gRPC multipart uploader (#55859) * adding file configuration for encrypted session recording (#56200) * Switching recording encryption to unwrap keys using direct keystore RSA decryption (#56776) * adding manual key management config (#56920) * updating protos for recording encryption (#57055) * Add missing handling for recording encryption configs and keys (#57279) * updating protos for recording encryption * changing labels for encryption keys to prevent automatic cleanup, adjusting pkcs11 host UUID check to allow for key sharing of encryption keys, preventing cloud tenants from enabling manual key management, preventing use of recording encryption in FIPS mode * adding new protos for rotated keys and the local service for interacting (#57576) with them * Switching encryption keys from PEM to ASN.1 DER encoding (#58137) * using pregenerated RSA4096 key for keystore tests because generation is too slow (#58138) * extending precomputed RSA keys to support 4096-bit keys (#58251) * adding rotation process to Manager and exposing with new RPCs and (#57577) * adding rotation sub commands for recording encryption keys and fixing (#57780) broken session_recording_config when using fileconf * using more reliable method of validating key bit length
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support for generating encryption/decryption keypairs as well as retrieving decrypters from keystore backends.