Sign tokens using key management system

[ivn-cote]

hey community!
I'd like to share the idea that aims to improve security of the system even further and potentially even promote performance (in terms of the CPU usage) of Hydra's instances.

There are special systems available for enterprise as well for OS communities which provide a service of signing tokens. Examples are AWS KMS and HashiCorp Vault. Such services takes the full ownership over the operations with sensitive secrets. First, generation of key pairs with improved security (proper randomness). Secondly, automatic rotations of secrets.

Benefits of using key management service are clear:

• flexibility which allows Hydra's adoption in more regulated setups or where devsecops roles are spread across organisation
• improved availability since loss of the database won't lead to millions logouts
• from the load perspective, crypto operations are delegated over the wire (could end up with longer latency though)

Please let me know if you had discussion on this topic already, and whether it's a feasible feature to implement!

[aeneasr]

Hi @ivn-cote ! Have you played around with Ory's HSM support already? https://www.ory.sh/docs/hydra/self-hosted/hsm-support