Add missing handling for recording encryption configs and keys

api/proto/teleport/legacy/types/types.proto

@@ -1269,9 +1269,9 @@ message EncryptionKeyPair {
   uint32 hash = 4 [(gogoproto.jsontag) = "hash,omitempty"];
 }
 
-// AgeEncryptionKey is a Bech32 encoded age X25519 public key.
+// A public key to be used as a recipient during age encryption of session recordings.
 message AgeEncryptionKey {
-  // PublicKey is a Bech32 encoded age X25519 public key.
+  // A PEM encoded public key used for key wrapping during age encryption. Expected to be RSA 4096.
   bytes public_key = 1 [(gogoproto.jsontag) = "public_key"];
 }
 

api/proto/teleport/recordingencryption/v1/recording_encryption.proto

@@ -21,26 +21,22 @@ import "teleport/legacy/types/types.proto";
 
 option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1;recordingencryptionv1";
 
-// WrappedKey wraps the private key of a recording encryption key pair using a
-// separate asymmetric keypair.
-message WrappedKey {
-  // RecordingEncryptionPair is the asymmetric keypair used with age to encrypt
-  // and decrypt filekeys. The private key is encrypted using the KeyEncryptionPair's
-  // public key and has to be decrypted before recording decryption operations can
-  // be fulfilled.
-  types.EncryptionKeyPair recording_encryption_pair = 1;
-  // KeyEncryptionPair is the asymmetric keypair used to wrap (encrypt) the
-  // RecordingEncryptionPair's private key.
-  types.EncryptionKeyPair key_encryption_pair = 2;
+// A key pair used with age to wrap and unwrap file keys for session recording encryption.
+message KeyPair {
+  // A key pair used with age to wrap and unwrap file keys for session recording encryption.
+  types.EncryptionKeyPair key_pair = 1;
 }
 
 // RecordingEncryptionSpec contains the active key set for encrypted session recording.
 message RecordingEncryptionSpec {
-  // AciveKeys is a list of active, wrapped X25519 keypairs. The unique set of RecordingEncryptionPair
-  // public keys are used as recipients during age encryption of session recordings. This
-  // allows any active private key to be used during decryption which guards against recordings
-  // being inaccessible to auth servers waiting for their key to rotate.
-  repeated WrappedKey active_keys = 1;
+  reserved 1; // active_keys
+  reserved "active_keys";
+
+  // A list of active key pairs used for session recording encryption. The unique set of
+  // active public keys are used as recipients during age encryption. This allows any
+  // active private key to be used during decryption which guards against recordings being
+  // inaccessible to auth servers waiting for key rotation.
+  repeated KeyPair active_key_pairs = 2;
 }
 
 // RecordingEncryptionStatus contains the status of the RecordingEncryption resource.

api/types/sessionrecording.go

@@ -59,6 +59,7 @@ type SessionRecordingConfig interface {
 
 	// Clone returns a copy of the resource.
 	Clone() SessionRecordingConfig
+
 	// CheckAndSetDefaults verifies the constraints for a SessionRecordingConfig
 	CheckAndSetDefaults() error
 }

docs/pages/reference/terraform-provider/data-sources/session_recording_config.mdx

@@ -89,5 +89,5 @@ Optional:
 
 Optional:
 
-- `public_key` (String) PublicKey is a Bech32 encoded age X25519 public key.
+- `public_key` (String) A PEM encoded public key used for key wrapping during age encryption. Expected to be RSA 4096.
 

docs/pages/reference/terraform-provider/resources/session_recording_config.mdx

@@ -111,4 +111,4 @@ Optional:
 
 Optional:
 
-- `public_key` (String) PublicKey is a Bech32 encoded age X25519 public key.
+- `public_key` (String) A PEM encoded public key used for key wrapping during age encryption. Expected to be RSA 4096.

lib/auth/clusterconfig/clusterconfigv1/service.go

@@ -738,7 +738,7 @@ func (s *Service) CreateSessionRecordingConfig(ctx context.Context, cfg types.Se
 		return nil, trace.AccessDenied("this request can be only executed by an auth server")
 	}
 
-	if err := services.ValidateSessionRecordingConfig(cfg); err != nil {
+	if err := services.ValidateSessionRecordingConfig(cfg, s.signatureAlgorithmSuiteParams.FIPS, s.signatureAlgorithmSuiteParams.Cloud); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -776,9 +776,10 @@ func (s *Service) UpdateSessionRecordingConfig(ctx context.Context, req *cluster
 
 	req.SessionRecordingConfig.SetOrigin(types.OriginDynamic)
 
-	if err := services.ValidateSessionRecordingConfig(req.SessionRecordingConfig); err != nil {
+	if err := services.ValidateSessionRecordingConfig(req.SessionRecordingConfig, s.signatureAlgorithmSuiteParams.FIPS, s.signatureAlgorithmSuiteParams.Cloud); err != nil {
 		return nil, trace.Wrap(err)
 	}
+
 	updated, err := s.backend.UpdateSessionRecordingConfig(ctx, req.SessionRecordingConfig)
 
 	if err := s.emitter.EmitAuditEvent(ctx, &apievents.SessionRecordingConfigUpdate{
@@ -825,9 +826,10 @@ func (s *Service) UpsertSessionRecordingConfig(ctx context.Context, req *cluster
 
 	req.SessionRecordingConfig.SetOrigin(types.OriginDynamic)
 
-	if err := services.ValidateSessionRecordingConfig(req.SessionRecordingConfig); err != nil {
+	if err := services.ValidateSessionRecordingConfig(req.SessionRecordingConfig, s.signatureAlgorithmSuiteParams.FIPS, s.signatureAlgorithmSuiteParams.Cloud); err != nil {
 		return nil, trace.Wrap(err)
 	}
+
 	upserted, err := s.backend.UpsertSessionRecordingConfig(ctx, req.SessionRecordingConfig)
 
 	if err := s.emitter.EmitAuditEvent(ctx, &apievents.SessionRecordingConfigUpdate{

lib/auth/keystore/aws_kms.go

@@ -54,9 +54,10 @@ import (
 )
 
 const (
-	awskmsPrefix  = "awskms:"
-	clusterTagKey = "TeleportCluster"
-	awsOAEPHash   = crypto.SHA256
+	awskmsPrefix           = "awskms:"
+	clusterTagKey          = "TeleportCluster"
+	encryptedClusterTagKey = "TeleportClusterEncryption"
+	awsOAEPHash            = crypto.SHA256
 
 	pendingKeyBaseRetryInterval = time.Second / 2
 	pendingKeyMaxRetryInterval  = 4 * time.Second
@@ -131,7 +132,7 @@ func newAWSKMSKeystore(ctx context.Context, cfg *servicecfg.AWSKMSConfig, opts *
 
 	tags := cfg.Tags
 	if tags == nil {
-		tags = make(map[string]string, 1)
+		tags = make(map[string]string, 2)
 	}
 	if _, ok := tags[clusterTagKey]; !ok {
 		tags[clusterTagKey] = opts.ClusterName.GetClusterName()
@@ -196,6 +197,9 @@ func (a *awsKMSKeystore) generateKey(ctx context.Context, algorithm cryptosuites
 
 	tags := make([]kmstypes.Tag, 0, len(a.tags))
 	for k, v := range a.tags {
+		if k == clusterTagKey && usage == keyUsageDecrypt {
+			k = encryptedClusterTagKey
+		}
 		tags = append(tags, kmstypes.Tag{
 			TagKey:   aws.String(k),
 			TagValue: aws.String(v),
@@ -545,7 +549,14 @@ func (a *awsKMSKeystore) deleteUnusedKeys(ctx context.Context, activeKeys [][]by
 	if scopedKeyDeletion {
 		keyListFn = a.forEachOwnedKey
 	}
-	err := keyListFn(ctx, func(ctx context.Context, arn string) error {
+	err := keyListFn(ctx, func(ctx context.Context, arn string, tags []rgttypes.Tag) error {
+		if slices.ContainsFunc(tags, func(tag rgttypes.Tag) bool {
+			return aws.ToString(tag.Key) == encryptedClusterTagKey
+		}) {
+			// do nothing for keys marked with delete prevention
+			return nil
+		}
+
 		key, err := keyIDFromArn(arn)
 		if err != nil {
 			return trace.Wrap(err)
@@ -645,7 +656,7 @@ func (a *awsKMSKeystore) deleteUnusedKeys(ctx context.Context, activeKeys [][]by
 
 // forEachKey calls fn with the AWS key ID of all keys in the AWS account and
 // region that would be returned by ListKeys. It may call fn concurrently.
-func (a *awsKMSKeystore) forEachKey(ctx context.Context, fn func(ctx context.Context, keyARN string) error) error {
+func (a *awsKMSKeystore) forEachKey(ctx context.Context, fn func(ctx context.Context, keyARN string, tags []rgttypes.Tag) error) error {
 	errGroup, ctx := errgroup.WithContext(ctx)
 	marker := ""
 	more := true
@@ -666,7 +677,7 @@ func (a *awsKMSKeystore) forEachKey(ctx context.Context, fn func(ctx context.Con
 		for _, keyEntry := range output.Keys {
 			keyID := aws.ToString(keyEntry.KeyArn)
 			errGroup.Go(func() error {
-				return trace.Wrap(fn(ctx, keyID))
+				return trace.Wrap(fn(ctx, keyID, nil))
 			})
 		}
 	}
@@ -675,7 +686,7 @@ func (a *awsKMSKeystore) forEachKey(ctx context.Context, fn func(ctx context.Con
 
 // forEachOwnedKey calls fn with the AWS key ID of all owned keys in the AWS account and
 // region that would be returned by GetResources. It may call fn concurrently.
-func (a *awsKMSKeystore) forEachOwnedKey(ctx context.Context, fn func(ctx context.Context, keyARN string) error) error {
+func (a *awsKMSKeystore) forEachOwnedKey(ctx context.Context, fn func(ctx context.Context, keyARN string, tags []rgttypes.Tag) error) error {
 	const maxGoRoutines = 5
 	errGroup, ctx := errgroup.WithContext(ctx)
 	errGroup.SetLimit(maxGoRoutines)
@@ -705,7 +716,7 @@ func (a *awsKMSKeystore) forEachOwnedKey(ctx context.Context, fn func(ctx contex
 		for _, keyEntry := range output.ResourceTagMappingList {
 			keyID := aws.ToString(keyEntry.ResourceARN)
 			errGroup.Go(func() error {
-				return trace.Wrap(fn(ctx, keyID))
+				return trace.Wrap(fn(ctx, keyID, keyEntry.Tags))
 			})
 		}
 	}