MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/cmd/crypto/kms.go

226 lines
6.2 KiB
Go
Raw Normal View History

Replace Minio refs in docs with MinIO and links (#7494)
2019-04-09 14:39:42 -04:00
// MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package crypto
import (
"bytes"
"context"
"crypto/hmac"
"crypto/rand"
"errors"
"fmt"
"io"
"sort"
"github.com/minio/minio/cmd/logger"
sha256 "github.com/minio/sha256-simd"
"github.com/minio/sio"
)
// Context is a list of key-value pairs cryptographically
// associated with a certain object.
type Context map[string]string
// WriteTo writes the context in a canonical from to w.
// It returns the number of bytes and the first error
// encounter during writing to w, if any.
//
// WriteTo sorts the context keys and writes the sorted
// key-value pairs as canonical JSON object to w.
Optimize decryptObjectInfo (#10726) `decryptObjectInfo` is a significant bottleneck when listing objects. Reduce the allocations for a significant speedup. https://github.com/minio/sio/pull/40 ``` λ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta Benchmark_decryptObjectInfo-32 24260928 808656 -96.67% benchmark old MB/s new MB/s speedup Benchmark_decryptObjectInfo-32 0.04 1.24 31.00x benchmark old allocs new allocs delta Benchmark_decryptObjectInfo-32 75112 48996 -34.77% benchmark old bytes new bytes delta Benchmark_decryptObjectInfo-32 287694772 4228076 -98.53% ```
2020-10-29 12:34:20 -04:00
//
// Note that neither keys nor values are escaped for JSON.
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
func (c Context) WriteTo(w io.Writer) (n int64, err error) {
sortedKeys := make(sort.StringSlice, 0, len(c))
for k := range c {
sortedKeys = append(sortedKeys, k)
}
sort.Sort(sortedKeys)
nn, err := io.WriteString(w, "{")
if err != nil {
return n + int64(nn), err
}
n += int64(nn)
for i, k := range sortedKeys {
s := fmt.Sprintf("\"%s\":\"%s\",", k, c[k])
if i == len(sortedKeys)-1 {
s = s[:len(s)-1] // remove last ','
}
nn, err = io.WriteString(w, s)
if err != nil {
return n + int64(nn), err
}
n += int64(nn)
}
nn, err = io.WriteString(w, "}")
return n + int64(nn), err
}
Optimize decryptObjectInfo (#10726) `decryptObjectInfo` is a significant bottleneck when listing objects. Reduce the allocations for a significant speedup. https://github.com/minio/sio/pull/40 ``` λ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta Benchmark_decryptObjectInfo-32 24260928 808656 -96.67% benchmark old MB/s new MB/s speedup Benchmark_decryptObjectInfo-32 0.04 1.24 31.00x benchmark old allocs new allocs delta Benchmark_decryptObjectInfo-32 75112 48996 -34.77% benchmark old bytes new bytes delta Benchmark_decryptObjectInfo-32 287694772 4228076 -98.53% ```
2020-10-29 12:34:20 -04:00
// AppendTo appends the context in a canonical from to dst.
//
// AppendTo sorts the context keys and writes the sorted
// key-value pairs as canonical JSON object to w.
//
// Note that neither keys nor values are escaped for JSON.
func (c Context) AppendTo(dst []byte) (output []byte) {
if len(c) == 0 {
return append(dst, '{', '}')
}
// out should not escape.
out := bytes.NewBuffer(dst)
// No need to copy+sort
if len(c) == 1 {
for k, v := range c {
out.WriteString(`{"`)
out.WriteString(k)
out.WriteString(`":"`)
out.WriteString(v)
out.WriteString(`"}`)
}
return out.Bytes()
}
sortedKeys := make([]string, 0, len(c))
for k := range c {
sortedKeys = append(sortedKeys, k)
}
sort.Strings(sortedKeys)
out.WriteByte('{')
for i, k := range sortedKeys {
out.WriteByte('"')
out.WriteString(k)
out.WriteString(`":"`)
out.WriteString(c[k])
out.WriteByte('"')
if i < len(sortedKeys)-1 {
out.WriteByte(',')
}
}
out.WriteByte('}')
return out.Bytes()
}
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
// KMS represents an active and authenticted connection
// to a Key-Management-Service. It supports generating
// data key generation and unsealing of KMS-generated
// data keys.
type KMS interface {
admin: new API for creating KMS master keys (#9982) This commit adds a new admin API for creating master keys. An admin client can send a POST request to: ``` /minio/admin/v3/kms/key/create?key-id=<keyID> ``` The name / ID of the new key is specified as request query parameter `key-id=<ID>`. Creating new master keys requires KES - it does not work with the native Vault KMS (deprecated) nor with a static master key (deprecated). Further, this commit removes the `UpdateKey` method from the `KMS` interface. This method is not needed and not used anymore.
2020-07-08 21:50:43 -04:00
// DefaultKeyID returns the default master key ID. It should be
// used for SSE-S3 and whenever a S3 client requests SSE-KMS but
// does not specify an explicit SSE-KMS key ID.
DefaultKeyID() string
// CreateKey creates a new master key with the given key ID
// at the KMS.
CreateKey(keyID string) error
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 01:47:56 -04:00
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
// GenerateKey generates a new random data key using
// the master key referenced by the keyID. It returns
// the plaintext key and the sealed plaintext key
// on success.
//
// The context is cryptographically bound to the
// generated key. The same context must be provided
// again to unseal the generated key.
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
GenerateKey(keyID string, context Context) (key [32]byte, sealedKey []byte, err error)
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
// UnsealKey unseals the sealedKey using the master key
// referenced by the keyID. The provided context must
// match the context used to generate the sealed key.
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
UnsealKey(keyID string, sealedKey []byte, context Context) (key [32]byte, err error)
add `UpdateKey` method to KMS interface (#7974) This commit adds a new method `UpdateKey` to the KMS interface. The purpose of `UpdateKey` is to re-wrap an encrypted data key (the key generated & encrypted with a master key by e.g. Vault). For example, consider Vault with a master key ID: `master-key-1` and an encrypted data key `E(dk)` for a particular object. The data key `dk` has been generated randomly when the object was created. Now, the KMS operator may "rotate" the master key `master-key-1`. However, the KMS cannot forget the "old" value of that master key since there is still an object that requires `dk`, and therefore, the `D(E(dk))`. With the `UpdateKey` method call MinIO can ask the KMS to decrypt `E(dk)` with the old key (internally) and re-encrypted `dk` with the new master key value: `E'(dk)`. However, this operation only works for the same master key ID. When rotating the data key (replacing it with a new one) then we perform a `UnsealKey` operation with the 1st master key ID and then a `GenerateKey` operation with the 2nd master key ID. This commit also updates the KMS documentation and removes the `encrypt` policy entry (we don't use `encrypt`) and add a policy entry for `rewarp`.
2019-08-01 18:47:47 -04:00
admin: new API for creating KMS master keys (#9982) This commit adds a new admin API for creating master keys. An admin client can send a POST request to: ``` /minio/admin/v3/kms/key/create?key-id=<keyID> ``` The name / ID of the new key is specified as request query parameter `key-id=<ID>`. Creating new master keys requires KES - it does not work with the native Vault KMS (deprecated) nor with a static master key (deprecated). Further, this commit removes the `UpdateKey` method from the `KMS` interface. This method is not needed and not used anymore.
2020-07-08 21:50:43 -04:00
// Info returns descriptive information about the KMS,
// like the default key ID and authentication method.
Info() KMSInfo
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
}
type masterKeyKMS struct {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 01:47:56 -04:00
keyID string
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
masterKey [32]byte
}
admin: new API for creating KMS master keys (#9982) This commit adds a new admin API for creating master keys. An admin client can send a POST request to: ``` /minio/admin/v3/kms/key/create?key-id=<keyID> ``` The name / ID of the new key is specified as request query parameter `key-id=<ID>`. Creating new master keys requires KES - it does not work with the native Vault KMS (deprecated) nor with a static master key (deprecated). Further, this commit removes the `UpdateKey` method from the `KMS` interface. This method is not needed and not used anymore.
2020-07-08 21:50:43 -04:00
// KMSInfo contains some describing information about
// the KMS.
New Admin Info (#8497)
2019-12-11 17:27:03 -05:00
type KMSInfo struct {
crypto: allow multiple KES endpoints (#10383) This commit addresses a maintenance / automation problem when MinIO-KES is deployed on bare-metal. In orchestrated env. the orchestrator (K8S) will make sure that `n` KES servers (IPs) are available via the same DNS name. There it is sufficient to provide just one endpoint.
2020-08-31 21:10:52 -04:00
Endpoints []string
Name string
AuthType string
New Admin Info (#8497)
2019-12-11 17:27:03 -05:00
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 01:47:56 -04:00
// NewMasterKey returns a basic KMS implementation from a single 256 bit master key.
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
//
// The KMS accepts any keyID but binds the keyID and context cryptographically
// to the generated keys.
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 01:47:56 -04:00
func NewMasterKey(keyID string, key [32]byte) KMS { return &masterKeyKMS{keyID: keyID, masterKey: key} }
admin: new API for creating KMS master keys (#9982) This commit adds a new admin API for creating master keys. An admin client can send a POST request to: ``` /minio/admin/v3/kms/key/create?key-id=<keyID> ``` The name / ID of the new key is specified as request query parameter `key-id=<ID>`. Creating new master keys requires KES - it does not work with the native Vault KMS (deprecated) nor with a static master key (deprecated). Further, this commit removes the `UpdateKey` method from the `KMS` interface. This method is not needed and not used anymore.
2020-07-08 21:50:43 -04:00
func (kms *masterKeyKMS) DefaultKeyID() string {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 01:47:56 -04:00
return kms.keyID
}
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
admin: new API for creating KMS master keys (#9982) This commit adds a new admin API for creating master keys. An admin client can send a POST request to: ``` /minio/admin/v3/kms/key/create?key-id=<keyID> ``` The name / ID of the new key is specified as request query parameter `key-id=<ID>`. Creating new master keys requires KES - it does not work with the native Vault KMS (deprecated) nor with a static master key (deprecated). Further, this commit removes the `UpdateKey` method from the `KMS` interface. This method is not needed and not used anymore.
2020-07-08 21:50:43 -04:00
func (kms *masterKeyKMS) CreateKey(keyID string) error {
return errors.New("crypto: creating keys is not supported by a static master key")
}
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
func (kms *masterKeyKMS) GenerateKey(keyID string, ctx Context) (key [32]byte, sealedKey []byte, err error) {
if _, err = io.ReadFull(rand.Reader, key[:]); err != nil {
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
logger.CriticalIf(context.Background(), errOutOfEntropy)
}
var (
buffer bytes.Buffer
derivedKey = kms.deriveKey(keyID, ctx)
)
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
if n, err := sio.Encrypt(&buffer, bytes.NewReader(key[:]), sio.Config{Key: derivedKey[:]}); err != nil || n != 64 {
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
logger.CriticalIf(context.Background(), errors.New("KMS: unable to encrypt data key"))
}
sealedKey = buffer.Bytes()
return key, sealedKey, nil
}
New Admin Info (#8497)
2019-12-11 17:27:03 -05:00
// KMS is configured directly using master key
func (kms *masterKeyKMS) Info() (info KMSInfo) {
return KMSInfo{
crypto: allow multiple KES endpoints (#10383) This commit addresses a maintenance / automation problem when MinIO-KES is deployed on bare-metal. In orchestrated env. the orchestrator (K8S) will make sure that `n` KES servers (IPs) are available via the same DNS name. There it is sufficient to provide just one endpoint.
2020-08-31 21:10:52 -04:00
Endpoints: []string{},
Name: "",
AuthType: "master-key",
New Admin Info (#8497)
2019-12-11 17:27:03 -05:00
}
}
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
func (kms *masterKeyKMS) UnsealKey(keyID string, sealedKey []byte, ctx Context) (key [32]byte, err error) {
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
var (
derivedKey = kms.deriveKey(keyID, ctx)
)
Optimize decryptObjectInfo (#10726) `decryptObjectInfo` is a significant bottleneck when listing objects. Reduce the allocations for a significant speedup. https://github.com/minio/sio/pull/40 ``` λ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta Benchmark_decryptObjectInfo-32 24260928 808656 -96.67% benchmark old MB/s new MB/s speedup Benchmark_decryptObjectInfo-32 0.04 1.24 31.00x benchmark old allocs new allocs delta Benchmark_decryptObjectInfo-32 75112 48996 -34.77% benchmark old bytes new bytes delta Benchmark_decryptObjectInfo-32 287694772 4228076 -98.53% ```
2020-10-29 12:34:20 -04:00
out, err := sio.DecryptBuffer(key[:0], sealedKey, sio.Config{Key: derivedKey[:]})
if err != nil || len(out) != 32 {
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included.
2018-07-25 16:35:54 -04:00
return key, err // TODO(aead): upgrade sio to use sio.Error
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
}
return key, nil
}
func (kms *masterKeyKMS) deriveKey(keyID string, context Context) (key [32]byte) {
if context == nil {
context = Context{}
}
mac := hmac.New(sha256.New, kms.masterKey[:])
mac.Write([]byte(keyID))
Optimize decryptObjectInfo (#10726) `decryptObjectInfo` is a significant bottleneck when listing objects. Reduce the allocations for a significant speedup. https://github.com/minio/sio/pull/40 ``` λ benchcmp before.txt after.txt benchmark old ns/op new ns/op delta Benchmark_decryptObjectInfo-32 24260928 808656 -96.67% benchmark old MB/s new MB/s speedup Benchmark_decryptObjectInfo-32 0.04 1.24 31.00x benchmark old allocs new allocs delta Benchmark_decryptObjectInfo-32 75112 48996 -34.77% benchmark old bytes new bytes delta Benchmark_decryptObjectInfo-32 287694772 4228076 -98.53% ```
2020-10-29 12:34:20 -04:00
mac.Write(context.AppendTo(make([]byte, 0, 128)))
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on.
2018-07-18 01:40:34 -04:00
mac.Sum(key[:0])
return key
}