Skip to content

Adding decryption to AWS KMS keystore backend#55652

Merged
eriktate merged 1 commit intomasterfrom
eriktate/aws-keystore-decryption
Jun 18, 2025
Merged

Adding decryption to AWS KMS keystore backend#55652
eriktate merged 1 commit intomasterfrom
eriktate/aws-keystore-decryption

Conversation

@eriktate
Copy link
Copy Markdown
Contributor

@eriktate eriktate commented Jun 11, 2025

This PR adds decryption support to the AWS KMS keystore backend.

@eriktate eriktate added the no-changelog Indicates that a PR does not require a changelog entry label Jun 11, 2025
@github-actions github-actions Bot requested review from gzdunek and nklaassen June 11, 2025 22:36
@eriktate eriktate force-pushed the eriktate/aws-keystore-decryption branch from d7ed87f to e4688d0 Compare June 11, 2025 22:37
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from gzdunek June 18, 2025 12:36
@eriktate eriktate added this pull request to the merge queue Jun 18, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 18, 2025
@eriktate eriktate added this pull request to the merge queue Jun 18, 2025
Merged via the queue into master with commit deeadd3 Jun 18, 2025
41 of 42 checks passed
@eriktate eriktate deleted the eriktate/aws-keystore-decryption branch June 18, 2025 13:29
eriktate added a commit that referenced this pull request Jun 30, 2025
@eriktate
adding decryption to AWS KMS keystore backend (#55652)
10f587d
@eriktate eriktate mentioned this pull request Jun 30, 2025
Closed
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adding decryption to AWS KMS keystore backend (#55652)
1466473
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adding decryption to AWS KMS keystore backend (#55652)
00b2c86
@eriktate eriktate mentioned this pull request Jul 1, 2025
Closed
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
adding decryption to AWS KMS keystore backend (#55652)
a35c565
eriktate added a commit that referenced this pull request Aug 15, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
06104ce 
…4428, #55652)
@eriktate eriktate mentioned this pull request Aug 15, 2025
Merged
eriktate added a commit that referenced this pull request Aug 27, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
7ca4b42 
…4428, #55652)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
7095818 
…4428, #55652)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
f391411 
…4428, #55652)
eriktate added a commit that referenced this pull request Sep 2, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
839754c 
…4428, #55652)
eriktate added a commit that referenced this pull request Sep 3, 2025
@eriktate
adding support for encryption/decryption keys to keystore manager (#5…
741d7c9 
…4428, #55652)
github-merge-queue Bot pushed a commit that referenced this pull request Sep 3, 2025
@eriktate
[v18] Encrypted Session Recordings (#57959)
236fd0e 
* adding support for encryption/decryption keys to keystore manager (#54428, #55652)

* adds new protos for resources related to encrypted session recordings and updates the existing SessionRecordingConfig protos to include a Status (#54780)

* adding local service implementation for recording encryption resources (#54816)

* adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD (#55078)

* Adding session recording plugin for `age` (#55120)

* adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD

* adding age plugin wrapping default X25519 Identity/Recipient implementation with hooks to more efficiently lookup private keys given their respective public key

* Adding recording encryption and playback for `sync` modes (#54901)

* adding cache for RecordingEncryption (#55857)

* adding recording_encryption service protos (#55121)

* adding async recording encryption with gRPC multipart uploader (#55859)

* adding file configuration for encrypted session recording (#56200)

* Switching recording encryption to unwrap keys using direct keystore RSA decryption (#56776)

* adding manual key management config (#56920)

* updating protos for recording encryption (#57055)

* Add missing handling for recording encryption configs and keys (#57279)

* updating protos for recording encryption

* changing labels for encryption keys to prevent automatic cleanup, adjusting pkcs11 host UUID check to allow for key sharing of encryption keys, preventing cloud tenants from enabling manual key management, preventing use of recording encryption in FIPS mode

* adding new protos for rotated keys and the local service for interacting (#57576)

with them

* Switching encryption keys from PEM to ASN.1 DER encoding (#58137)

* using pregenerated RSA4096 key for keystore tests because generation is too slow (#58138)

* extending precomputed RSA keys to support 4096-bit keys (#58251)

* adding rotation process to Manager and exposing with new RPCs and (#57577)

* adding rotation sub commands for recording encryption keys and fixing (#57780)

broken session_recording_config when using fileconf

* using more reliable method of validating key bit length
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nklaassen nklaassen nklaassen approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eriktate @nklaassen @rosstimothy