kms: add support for MinKMS and remove some unused/broken code (#19368)

This commit adds support for MinKMS. Now, there are three KMS implementations in `internal/kms`: Builtin, MinIO KES and MinIO KMS. Adding another KMS integration required some cleanup. In particular: - Various KMS APIs that haven't been and are not used have been removed. A lot of the code was broken anyway. - Metrics are now monitored by the `kms.KMS` itself. For basic metrics this is simpler than collecting metrics for external servers. In particular, each KES server returns its own metrics and no cluster-level view. - The builtin KMS now uses the same en/decryption implemented by MinKMS and KES. It still supports decryption of the previous ciphertext format. It's backwards compatible. - Data encryption keys now include a master key version since MinKMS supports multiple versions (~4 billion in total and 10000 concurrent) per key name. Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-11-07 12:52:58 -05:00 · 2024-05-08 01:55:37 +02:00
parent 981497799a
commit 8b660e18f2
36 changed files with 1794 additions and 1808 deletions
--- a/internal/config/crypto.go
+++ b/internal/config/crypto.go
@@ -38,7 +38,7 @@ import (
 //
 // The same context must be provided when decrypting the
 // ciphertext.
-func EncryptBytes(k kms.KMS, plaintext []byte, context kms.Context) ([]byte, error) {
+func EncryptBytes(k *kms.KMS, plaintext []byte, context kms.Context) ([]byte, error) {
 	ciphertext, err := Encrypt(k, bytes.NewReader(plaintext), context)
 	if err != nil {
 		return nil, err
@@ -49,7 +49,7 @@ func EncryptBytes(k kms.KMS, plaintext []byte, context kms.Context) ([]byte, err
 // DecryptBytes decrypts the ciphertext using a key managed by the KMS.
 // The same context that have been used during encryption must be
 // provided.
-func DecryptBytes(k kms.KMS, ciphertext []byte, context kms.Context) ([]byte, error) {
+func DecryptBytes(k *kms.KMS, ciphertext []byte, context kms.Context) ([]byte, error) {
 	plaintext, err := Decrypt(k, bytes.NewReader(ciphertext), context)
 	if err != nil {
 		return nil, err
@@ -62,13 +62,13 @@ func DecryptBytes(k kms.KMS, ciphertext []byte, context kms.Context) ([]byte, er
 //
 // The same context must be provided when decrypting the
 // ciphertext.
-func Encrypt(k kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) {
+func Encrypt(k *kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) {
 	algorithm := sio.AES_256_GCM
 	if !fips.Enabled && !sioutil.NativeAES() {
 		algorithm = sio.ChaCha20Poly1305
 	}

-	key, err := k.GenerateKey(context.Background(), "", ctx)
+	key, err := k.GenerateKey(context.Background(), &kms.GenerateKeyRequest{AssociatedData: ctx})
 	if err != nil {
 		return nil, err
 	}
@@ -116,7 +116,7 @@ func Encrypt(k kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error)
 // Decrypt decrypts the ciphertext using a key managed by the KMS.
 // The same context that have been used during encryption must be
 // provided.
-func Decrypt(k kms.KMS, ciphertext io.Reader, context kms.Context) (io.Reader, error) {
+func Decrypt(k *kms.KMS, ciphertext io.Reader, associatedData kms.Context) (io.Reader, error) {
 	const (
 		MaxMetadataSize = 1 << 20 // max. size of the metadata
 		Version         = 1
@@ -149,7 +149,11 @@ func Decrypt(k kms.KMS, ciphertext io.Reader, context kms.Context) (io.Reader, e
 		return nil, fmt.Errorf("config: unsupported encryption algorithm: %q is not supported in FIPS mode", metadata.Algorithm)
 	}

-	key, err := k.DecryptKey(metadata.KeyID, metadata.KMSKey, context)
+	key, err := k.Decrypt(context.TODO(), &kms.DecryptRequest{
+		Name:           metadata.KeyID,
+		Ciphertext:     metadata.KMSKey,
+		AssociatedData: associatedData,
+	})
 	if err != nil {
 		return nil, err
 	}
--- a/internal/config/crypto_test.go
+++ b/internal/config/crypto_test.go
@@ -53,7 +53,7 @@ func TestEncryptDecrypt(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to decode master key: %v", err)
 	}
-	KMS, err := kms.New("my-key", key)
+	KMS, err := kms.NewBuiltin("my-key", key)
 	if err != nil {
 		t.Fatalf("Failed to create KMS: %v", err)
 	}
@@ -88,7 +88,7 @@ func BenchmarkEncrypt(b *testing.B) {
 	if err != nil {
 		b.Fatalf("Failed to decode master key: %v", err)
 	}
-	KMS, err := kms.New("my-key", key)
+	KMS, err := kms.NewBuiltin("my-key", key)
 	if err != nil {
 		b.Fatalf("Failed to create KMS: %v", err)
 	}