Skip to content

Adding new protos for session recording encryption#54780

Merged
eriktate merged 1 commit intomasterfrom
eriktate/encrypted-recording-protos
May 29, 2025
Merged

Adding new protos for session recording encryption#54780
eriktate merged 1 commit intomasterfrom
eriktate/encrypted-recording-protos

Conversation

@eriktate
Copy link
Copy Markdown
Contributor

@eriktate eriktate commented May 13, 2025

This PR adds new protos in support of the encrypted session recording RFD #53348

@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch 5 times, most recently from 02ae232 to 1148b4b Compare May 14, 2025 20:11
@eriktate eriktate marked this pull request as ready for review May 15, 2025 21:58
@github-actions github-actions Bot requested review from marcoandredinis and zmb3 May 15, 2025 21:59
@eriktate eriktate force-pushed the eriktate/keystore-decryption branch from c3b364d to 6a5041a Compare May 20, 2025 14:05
@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch from 1148b4b to 245cb67 Compare May 20, 2025 14:10
@eriktate eriktate force-pushed the eriktate/keystore-decryption branch from 6a5041a to d4161b8 Compare May 22, 2025 19:23
@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch 3 times, most recently from adfe856 to 32e26ff Compare May 22, 2025 22:24
marcoandredinis
marcoandredinis approved these changes May 26, 2025
View reviewed changes
Comment thread api/proto/teleport/legacy/types/types.proto Outdated
];
// Status is the SessionRecordingConfig status containing active encryption keys
SessionRecordingConfigStatus Status = 6 [
(gogoproto.nullable) = false,
Copy link
Copy Markdown
Contributor

@marcoandredinis marcoandredinis May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RFD had nullable = true

Comment thread api/proto/teleport/recordingencryption/v1/recording_encryption.proto Outdated
types.EncryptionKeyPair key_encryption_pair = 2;
// State represents what state a given WrappedKey is currently in. Primarily used
// to identify what phase of a rotaiton a given key is currently in.
KeyState state = 3;
Copy link
Copy Markdown
Contributor

@marcoandredinis marcoandredinis May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using enums in proto brings some UX issues to the Teleport terraform provider.
When using those, we have to write the numerical identifier instead of ACTIVE/ROTATING/ROTATED.

I'm not sure this view is popular, but lately I've favored string representations instead of Enums.

Up to you (and whoever also reviews this), just trying to raise your attention to this.

Note: this is a terraform provider issue, but while we don't fix it, this will have a negative impact in UX.

Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a string instead of an enum also yields a friendly representation for yaml if this resource is obtainable via tctl get.

Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could also consider omitting this now while rotations are still being worked out and add it in later.

Copy link
Copy Markdown
Contributor Author

@eriktate eriktate May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this field actually started as a string in the RFD but was replaced with an enum after a couple of rounds of feedback. The enum might make a bit more sense in this case since RecordingEncryption state is meant to be internally created and managed within the auth service. The KeyState values shouldn't be exposed in a way that would expect to impact the TF provider or even tctl get since the only planned RPCs are for powering the encryption key rotation sub command.

That said I might go ahead and just omit for the time being.

@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch from 32e26ff to 673fe22 Compare May 27, 2025 21:45
@eriktate eriktate force-pushed the eriktate/keystore-decryption branch 2 times, most recently from 027543d to cd91ba6 Compare May 27, 2025 21:58
@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch 2 times, most recently from b9b6291 to fc7c1c3 Compare May 27, 2025 22:02
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from zmb3 May 28, 2025 13:06
@eriktate eriktate force-pushed the eriktate/keystore-decryption branch from cd91ba6 to 12ade31 Compare May 29, 2025 18:57
Base automatically changed from eriktate/keystore-decryption to master May 29, 2025 20:02
@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch from fc7c1c3 to 6f8f538 Compare May 29, 2025 20:31
@eriktate
adds new protos for resources related to encrypted session recordings…
32487ed 
… and updates the existing SessionRecordingConfig protos to include a Status
@eriktate eriktate force-pushed the eriktate/encrypted-recording-protos branch from 6f8f538 to 32487ed Compare May 29, 2025 21:00
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
eriktate/encrypted-recording-protos HEAD 1 ✅SUCCEED eriktate-encrypted-recording-protos 2025-05-29 21:06:21

@eriktate eriktate added the no-changelog Indicates that a PR does not require a changelog entry label May 29, 2025
@eriktate eriktate enabled auto-merge May 29, 2025 21:12
@eriktate eriktate added this pull request to the merge queue May 29, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 29, 2025
@eriktate eriktate added this pull request to the merge queue May 29, 2025
Merged via the queue into master with commit 9c43264 May 29, 2025
44 of 45 checks passed
@eriktate eriktate deleted the eriktate/encrypted-recording-protos branch May 29, 2025 22:00
eriktate added a commit that referenced this pull request Jun 30, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
5c8be6c 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
@eriktate eriktate mentioned this pull request Jun 30, 2025
Closed
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
0efeec3 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
1b8e456 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
@eriktate eriktate mentioned this pull request Jul 1, 2025
Closed
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
b916fae 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Aug 15, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
9d16409 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
@eriktate eriktate mentioned this pull request Aug 15, 2025
Merged
eriktate added a commit that referenced this pull request Aug 27, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
a30513e 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
95fbf4b 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
d619605 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
d53b1e5 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
eriktate added a commit that referenced this pull request Sep 3, 2025
@eriktate
adds new protos for resources related to encrypted session recordings…
a149226 
… and updates the existing SessionRecordingConfig protos to include a Status (#54780)
github-merge-queue Bot pushed a commit that referenced this pull request Sep 3, 2025
@eriktate
[v18] Encrypted Session Recordings (#57959)
236fd0e 
* adding support for encryption/decryption keys to keystore manager (#54428, #55652)

* adds new protos for resources related to encrypted session recordings and updates the existing SessionRecordingConfig protos to include a Status (#54780)

* adding local service implementation for recording encryption resources (#54816)

* adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD (#55078)

* Adding session recording plugin for `age` (#55120)

* adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD

* adding age plugin wrapping default X25519 Identity/Recipient implementation with hooks to more efficiently lookup private keys given their respective public key

* Adding recording encryption and playback for `sync` modes (#54901)

* adding cache for RecordingEncryption (#55857)

* adding recording_encryption service protos (#55121)

* adding async recording encryption with gRPC multipart uploader (#55859)

* adding file configuration for encrypted session recording (#56200)

* Switching recording encryption to unwrap keys using direct keystore RSA decryption (#56776)

* adding manual key management config (#56920)

* updating protos for recording encryption (#57055)

* Add missing handling for recording encryption configs and keys (#57279)

* updating protos for recording encryption

* changing labels for encryption keys to prevent automatic cleanup, adjusting pkcs11 host UUID check to allow for key sharing of encryption keys, preventing cloud tenants from enabling manual key management, preventing use of recording encryption in FIPS mode

* adding new protos for rotated keys and the local service for interacting (#57576)

with them

* Switching encryption keys from PEM to ASN.1 DER encoding (#58137)

* using pregenerated RSA4096 key for keystore tests because generation is too slow (#58138)

* extending precomputed RSA keys to support 4096-bit keys (#58251)

* adding rotation process to Manager and exposing with new RPCs and (#57577)

* adding rotation sub commands for recording encryption keys and fixing (#57780)

broken session_recording_config when using fileconf

* using more reliable method of validating key bit length
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eriktate @marcoandredinis @rosstimothy