mirror of
https://github.com/minio/minio.git
synced 2025-11-22 18:47:43 -05:00
crypto: add support for KMS key versions
This commit adds support for KMS master key versions. Now, MinIO stores any key version information returned by the KMS as part of the object metadata. The key version identifies a particular master key within a master key ring. When encrypting/ generating a DEK, MinIO has to remember the key version - similar to the key name. When decrypting a DEK, MinIO sends the key version to the KMS such that the KMS can identify the exact key version that should be used to decrypt the object. Existing objects don't have a key version. Hence, this field will be empty. Signed-off-by: Andreas Auernhammer <github@aead.dev>
This commit is contained in:
Andreas Auernhammer
@@ -48,6 +48,12 @@ const (
|
||||
// the KMS.
|
||||
MetaDataEncryptionKey = "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key"
|
||||
|
||||
// MetaKeyVersion is the version of the KMS master key used to generate/encrypt
|
||||
// the data encryption key (DEK). When a MinKMS master key is "rotated", it
|
||||
// adds another key version. MinIO has to remember which key version has been
|
||||
// used to encrypt an object.
|
||||
MetaKeyVersion = "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Version"
|
||||
|
||||
// MetaSsecCRC is the encrypted checksum of the SSE-C encrypted object.
|
||||
MetaSsecCRC = "X-Minio-Replication-Ssec-Crc"
|
||||
|
||||
@@ -108,6 +114,7 @@ func RemoveInternalEntries(metadata map[string]string) {
|
||||
delete(metadata, MetaSealedKeyS3)
|
||||
delete(metadata, MetaSealedKeyKMS)
|
||||
delete(metadata, MetaKeyID)
|
||||
delete(metadata, MetaKeyVersion)
|
||||
delete(metadata, MetaDataEncryptionKey)
|
||||
delete(metadata, MetaSsecCRC)
|
||||
}
|
||||
@@ -150,6 +157,9 @@ func IsEncrypted(metadata map[string]string) (Type, bool) {
|
||||
if _, ok := metadata[MetaKeyID]; ok {
|
||||
return nil, true
|
||||
}
|
||||
if _, ok := metadata[MetaKeyVersion]; ok {
|
||||
return nil, true
|
||||
}
|
||||
if _, ok := metadata[MetaDataEncryptionKey]; ok {
|
||||
return nil, true
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ import (
|
||||
"encoding/hex"
|
||||
"testing"
|
||||
|
||||
"github.com/minio/minio/internal/kms"
|
||||
"github.com/minio/minio/internal/logger"
|
||||
)
|
||||
|
||||
@@ -306,7 +307,7 @@ var s3CreateMetadataTests = []struct {
|
||||
SealedDataKey []byte
|
||||
SealedKey SealedKey
|
||||
}{
|
||||
{KeyID: "", SealedDataKey: nil, SealedKey: SealedKey{Algorithm: SealAlgorithm}},
|
||||
{KeyID: "foo", SealedDataKey: make([]byte, 32), SealedKey: SealedKey{Algorithm: SealAlgorithm}},
|
||||
{KeyID: "my-minio-key", SealedDataKey: make([]byte, 48), SealedKey: SealedKey{Algorithm: SealAlgorithm}},
|
||||
{KeyID: "cafebabe", SealedDataKey: make([]byte, 48), SealedKey: SealedKey{Algorithm: SealAlgorithm}},
|
||||
{KeyID: "deadbeef", SealedDataKey: make([]byte, 32), SealedKey: SealedKey{IV: [32]byte{0xf7}, Key: [64]byte{0xea}, Algorithm: SealAlgorithm}},
|
||||
@@ -316,7 +317,7 @@ func TestS3CreateMetadata(t *testing.T) {
|
||||
defer func(l bool) { logger.DisableLog = l }(logger.DisableLog)
|
||||
logger.DisableLog = true
|
||||
for i, test := range s3CreateMetadataTests {
|
||||
metadata := S3.CreateMetadata(nil, test.KeyID, test.SealedDataKey, test.SealedKey)
|
||||
metadata := S3.CreateMetadata(nil, kms.DEK{KeyID: test.KeyID, Ciphertext: test.SealedDataKey}, test.SealedKey)
|
||||
keyID, kmsKey, sealedKey, err := S3.ParseMetadata(metadata)
|
||||
if err != nil {
|
||||
t.Errorf("Test %d: failed to parse metadata: %v", i, err)
|
||||
@@ -344,7 +345,7 @@ func TestS3CreateMetadata(t *testing.T) {
|
||||
t.Errorf("Expected '%s' panic for invalid seal algorithm but got '%s'", logger.ErrCritical, err)
|
||||
}
|
||||
}()
|
||||
_ = S3.CreateMetadata(nil, "", []byte{}, SealedKey{Algorithm: InsecureSealAlgorithm})
|
||||
_ = S3.CreateMetadata(nil, kms.DEK{}, SealedKey{Algorithm: InsecureSealAlgorithm})
|
||||
}
|
||||
|
||||
var ssecCreateMetadataTests = []struct {
|
||||
|
||||
@@ -136,20 +136,15 @@ func (s3 ssekms) UnsealObjectKey(k *kms.KMS, metadata map[string]string, bucket,
|
||||
// the modified metadata. If the keyID and the kmsKey is not empty it encodes
|
||||
// both into the metadata as well. It allocates a new metadata map if metadata
|
||||
// is nil.
|
||||
func (ssekms) CreateMetadata(metadata map[string]string, keyID string, kmsKey []byte, sealedKey SealedKey, ctx kms.Context) map[string]string {
|
||||
func (ssekms) CreateMetadata(metadata map[string]string, dek kms.DEK, sealedKey SealedKey, ctx kms.Context) map[string]string {
|
||||
if sealedKey.Algorithm != SealAlgorithm {
|
||||
logger.CriticalIf(context.Background(), Errorf("The seal algorithm '%s' is invalid for SSE-S3", sealedKey.Algorithm))
|
||||
}
|
||||
|
||||
// There are two possibilities:
|
||||
// - We use a KMS -> There must be non-empty key ID and a KMS data key.
|
||||
// - We use a K/V -> There must be no key ID and no KMS data key.
|
||||
// Otherwise, the caller has passed an invalid argument combination.
|
||||
if keyID == "" && len(kmsKey) != 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The key ID must not be empty if a KMS data key is present"))
|
||||
if dek.KeyID == "" {
|
||||
logger.CriticalIf(context.Background(), errors.New("The key ID must not be empty"))
|
||||
}
|
||||
if keyID != "" && len(kmsKey) == 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The KMS data key must not be empty if a key ID is present"))
|
||||
if len(dek.Ciphertext) == 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The DEK must not be empty"))
|
||||
}
|
||||
|
||||
if metadata == nil {
|
||||
@@ -159,13 +154,18 @@ func (ssekms) CreateMetadata(metadata map[string]string, keyID string, kmsKey []
|
||||
metadata[MetaAlgorithm] = sealedKey.Algorithm
|
||||
metadata[MetaIV] = base64.StdEncoding.EncodeToString(sealedKey.IV[:])
|
||||
metadata[MetaSealedKeyKMS] = base64.StdEncoding.EncodeToString(sealedKey.Key[:])
|
||||
metadata[MetaKeyID] = dek.KeyID
|
||||
metadata[MetaDataEncryptionKey] = base64.StdEncoding.EncodeToString(dek.Ciphertext)
|
||||
|
||||
if len(ctx) > 0 {
|
||||
b, _ := ctx.MarshalText()
|
||||
b, err := ctx.MarshalText()
|
||||
if err != nil {
|
||||
logger.CriticalIf(context.Background(), Errorf("crypto: failed to marshal KMS context: %v", err))
|
||||
}
|
||||
metadata[MetaContext] = base64.StdEncoding.EncodeToString(b)
|
||||
}
|
||||
if len(kmsKey) > 0 && keyID != "" { // We use a KMS -> Store key ID and sealed KMS data key.
|
||||
metadata[MetaKeyID] = keyID
|
||||
metadata[MetaDataEncryptionKey] = base64.StdEncoding.EncodeToString(kmsKey)
|
||||
if dek.Version != "" {
|
||||
metadata[MetaKeyVersion] = dek.Version
|
||||
}
|
||||
return metadata
|
||||
}
|
||||
|
||||
@@ -119,20 +119,15 @@ func (s3 sses3) UnsealObjectKeys(ctx context.Context, k *kms.KMS, metadata []map
|
||||
// the modified metadata. If the keyID and the kmsKey is not empty it encodes
|
||||
// both into the metadata as well. It allocates a new metadata map if metadata
|
||||
// is nil.
|
||||
func (sses3) CreateMetadata(metadata map[string]string, keyID string, kmsKey []byte, sealedKey SealedKey) map[string]string {
|
||||
func (sses3) CreateMetadata(metadata map[string]string, dek kms.DEK, sealedKey SealedKey) map[string]string {
|
||||
if sealedKey.Algorithm != SealAlgorithm {
|
||||
logger.CriticalIf(context.Background(), Errorf("The seal algorithm '%s' is invalid for SSE-S3", sealedKey.Algorithm))
|
||||
}
|
||||
|
||||
// There are two possibilities:
|
||||
// - We use a KMS -> There must be non-empty key ID and a KMS data key.
|
||||
// - We use a K/V -> There must be no key ID and no KMS data key.
|
||||
// Otherwise, the caller has passed an invalid argument combination.
|
||||
if keyID == "" && len(kmsKey) != 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The key ID must not be empty if a KMS data key is present"))
|
||||
if dek.KeyID == "" {
|
||||
logger.CriticalIf(context.Background(), errors.New("The key ID must not be empty"))
|
||||
}
|
||||
if keyID != "" && len(kmsKey) == 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The KMS data key must not be empty if a key ID is present"))
|
||||
if len(dek.Ciphertext) == 0 {
|
||||
logger.CriticalIf(context.Background(), errors.New("The DEK must not be empty"))
|
||||
}
|
||||
|
||||
if metadata == nil {
|
||||
@@ -142,9 +137,10 @@ func (sses3) CreateMetadata(metadata map[string]string, keyID string, kmsKey []b
|
||||
metadata[MetaAlgorithm] = sealedKey.Algorithm
|
||||
metadata[MetaIV] = base64.StdEncoding.EncodeToString(sealedKey.IV[:])
|
||||
metadata[MetaSealedKeyS3] = base64.StdEncoding.EncodeToString(sealedKey.Key[:])
|
||||
if len(kmsKey) > 0 && keyID != "" { // We use a KMS -> Store key ID and sealed KMS data key.
|
||||
metadata[MetaKeyID] = keyID
|
||||
metadata[MetaDataEncryptionKey] = base64.StdEncoding.EncodeToString(kmsKey)
|
||||
metadata[MetaKeyID] = dek.KeyID
|
||||
metadata[MetaDataEncryptionKey] = base64.StdEncoding.EncodeToString(dek.Ciphertext)
|
||||
if dek.Version != "" {
|
||||
metadata[MetaKeyVersion] = dek.Version
|
||||
}
|
||||
return metadata
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user