design: scope the AWS KMS key provider (first cloud provider)#26
Open
jdatcmd wants to merge 2 commits into
Open
design: scope the AWS KMS key provider (first cloud provider)#26jdatcmd wants to merge 2 commits into
jdatcmd wants to merge 2 commits into
Conversation
Add design/aws-kms-provider.md scoping AWS as the first cloud key provider. It works through the envelope model performed inside the provider's get/store (KMS Encrypt on write, Decrypt on read), storing the KMS ciphertext in a provider-owned local file (Secrets Manager backing as an option), so the CMK never leaves KMS and no TDEKeyringRoutine vtable change is required. Covers the config/SQL surface, the AWS credential chain, a raw SigV4-over-libcurl implementation (no AWS C++ SDK), security properties, LocalStack testing, effort/risk, phasing, and open questions. Cross-link it from the cloud KMS feature in the roadmap. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A standalone libcurl+OpenSSL prototype confirms the two riskiest pieces of the design: the hand-rolled SigV4 signer reproduces botocore byte for byte (canonical request, string to sign, signing-key chain, and final signature), and a KMS Encrypt/Decrypt round trip against a mock unwraps to the original key. This settles the SigV4 concern and narrows the hand-roll-vs-aws-c-auth open question to credential resolution only. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
Author
|
Prototype update: the two riskiest pieces of this design are now de-risked with a standalone C prototype (libcurl + OpenSSL only, no AWS SDK).
I've pushed a "Prototype: SigV4 and the KMS round trip are de-risked" subsection to Still awaiting decisions on the open questions before implementing v1: (1) v1 storage local file vs Secrets Manager, (2) whether IRSA is needed day one for EKS, (3) hand-roll credentials vs link |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scopes AWS KMS as the first cloud key provider, per the roadmap's Tier 1 item. Planning doc only, no code.
Key design points
keyring_get_key/store_key), the KMS wrap/unwrap can happen inside get/store: KMSEncrypton write,Decrypton read. The CMK never leaves KMS, and this needs noTDEKeyringRoutinevtable change — refining the roadmap's earlier note.t/aws_kms.pl, env-gated), effort/risk, phasing, and open questions.🤖 Generated with Claude Code