Switching recording encryption to unwrap keys using direct keystore RSA decryption#56776
Merged
Switching recording encryption to unwrap keys using direct keystore RSA decryption#56776
Conversation
eriktate
force-pushed
the
eriktate/rsa-recording-encryption
branch
3 times, most recently
from
4a27048 to
4a16d38
Compare
eriktate
changed the title
eriktate
force-pushed
the
eriktate/rsa-recording-encryption
branch
from
4a16d38 to
65d37b1
Compare
rosstimothy
reviewed
Jul 18, 2025
|
|
||
| decrypter := key | ||
| if alg == cryptosuites.RSA2048 { | ||
| if alg == cryptosuites.RSA4096 { |
Contributor
There was a problem hiding this comment.
Should this check be for RSA2048 and RSA4096? Is RSA2048 never used anymore?
Contributor
Author
There was a problem hiding this comment.
For decryption it's only RSA4096 but the GenerateDecrypterWithAlgorithm function will actually error if it's any other algo so this check is totally unnecessary.
eriktate
force-pushed
the
eriktate/rsa-recording-encryption
branch
2 times, most recently
from
4c6f773 to
cd87b3e
Compare
eriktate
added
the
no-changelog
eriktate
force-pushed
the
eriktate/rsa-recording-encryption
branch
from
cd87b3e to
6044e3f
Compare
eriktate
force-pushed
the
eriktate/rsa-recording-encryption
branch
from
17e0aab to
ced2f23
Compare
rosstimothy
approved these changes
Jul 23, 2025
public-teleport-github-review-bot
Bot
removed the request for review
from camscale
eriktate
added a commit
that referenced
this pull request
Aug 15, 2025
eriktate
added a commit
that referenced
this pull request
Aug 27, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 2, 2025
eriktate
added a commit
that referenced
this pull request
Sep 3, 2025
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Sep 3, 2025
* adding support for encryption/decryption keys to keystore manager (#54428, #55652) * adds new protos for resources related to encrypted session recordings and updates the existing SessionRecordingConfig protos to include a Status (#54780) * adding local service implementation for recording encryption resources (#54816) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD (#55078) * Adding session recording plugin for `age` (#55120) * adding Manager for RecordingEncryption resources that handles shared ops more complex than CRUD * adding age plugin wrapping default X25519 Identity/Recipient implementation with hooks to more efficiently lookup private keys given their respective public key * Adding recording encryption and playback for `sync` modes (#54901) * adding cache for RecordingEncryption (#55857) * adding recording_encryption service protos (#55121) * adding async recording encryption with gRPC multipart uploader (#55859) * adding file configuration for encrypted session recording (#56200) * Switching recording encryption to unwrap keys using direct keystore RSA decryption (#56776) * adding manual key management config (#56920) * updating protos for recording encryption (#57055) * Add missing handling for recording encryption configs and keys (#57279) * updating protos for recording encryption * changing labels for encryption keys to prevent automatic cleanup, adjusting pkcs11 host UUID check to allow for key sharing of encryption keys, preventing cloud tenants from enabling manual key management, preventing use of recording encryption in FIPS mode * adding new protos for rotated keys and the local service for interacting (#57576) with them * Switching encryption keys from PEM to ASN.1 DER encoding (#58137) * using pregenerated RSA4096 key for keystore tests because generation is too slow (#58138) * extending precomputed RSA keys to support 4096-bit keys (#58251) * adding rotation process to Manager and exposing with new RPCs and (#57577) * adding rotation sub commands for recording encryption keys and fixing (#57780) broken session_recording_config when using fileconf * using more reliable method of validating key bit length
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR removes the intermediate software X25519 keys present in the current encrypted recording implementation in favor of using hardware/keystore RSA keys directly. In order to make this work without adding new complexity around key exchange, encrypted recordings now assume that auth servers in the same cluster should have access to the same keys. This also means the vast majority of the cooperative key management has been replaced with simpler checks that a key is both provisioned and accessible.
There will be a follow-up PR implementing the manual key management flow now defined in the RFD.