Skip to content

design: scope the AWS KMS key provider (first cloud provider)#26

Open
jdatcmd wants to merge 2 commits into
mainfrom
design/aws-kms-provider
Open

design: scope the AWS KMS key provider (first cloud provider)#26
jdatcmd wants to merge 2 commits into
mainfrom
design/aws-kms-provider

Conversation

@jdatcmd

@jdatcmd jdatcmd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Scopes AWS KMS as the first cloud key provider, per the roadmap's Tier 1 item. Planning doc only, no code.

Key design points

  • Envelope inside the provider. Because the provider interface deals in raw key bytes (keyring_get_key/store_key), the KMS wrap/unwrap can happen inside get/store: KMS Encrypt on write, Decrypt on read. The CMK never leaves KMS, and this needs no TDEKeyringRoutine vtable change — refining the roadmap's earlier note.
  • Wrapped-blob storage: a provider-owned local ciphertext file in the data directory (recommended v1; a stolen disk yields only KMS ciphertext), with AWS Secrets Manager backing as a managed option.
  • Implementation: raw HTTPS + AWS SigV4 over the already-linked libcurl/OpenSSL, not the heavy AWS C++ SDK; mirrors the OpenBao provider.
  • Auth: the standard AWS credential chain (env/profile, IMDSv2 instance role in v1; IRSA/STS and ECS task role in v2). The credential chain is the main effort and risk, not the crypto.
  • No on-disk format change; purely additive alongside file/KMIP/OpenBao.
  • Covers config/SQL surface, security properties, LocalStack testing (t/aws_kms.pl, env-gated), effort/risk, phasing, and open questions.

🤖 Generated with Claude Code

ChronicallyJD and others added 2 commits July 16, 2026 09:11
Add design/aws-kms-provider.md scoping AWS as the first cloud key
provider. It works through the envelope model performed inside the
provider's get/store (KMS Encrypt on write, Decrypt on read), storing the
KMS ciphertext in a provider-owned local file (Secrets Manager backing as
an option), so the CMK never leaves KMS and no TDEKeyringRoutine vtable
change is required. Covers the config/SQL surface, the AWS credential
chain, a raw SigV4-over-libcurl implementation (no AWS C++ SDK), security
properties, LocalStack testing, effort/risk, phasing, and open questions.

Cross-link it from the cloud KMS feature in the roadmap.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A standalone libcurl+OpenSSL prototype confirms the two riskiest pieces of the
design: the hand-rolled SigV4 signer reproduces botocore byte for byte
(canonical request, string to sign, signing-key chain, and final signature),
and a KMS Encrypt/Decrypt round trip against a mock unwraps to the original
key. This settles the SigV4 concern and narrows the hand-roll-vs-aws-c-auth
open question to credential resolution only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jdatcmd

jdatcmd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Prototype update: the two riskiest pieces of this design are now de-risked with a standalone C prototype (libcurl + OpenSSL only, no AWS SDK).

  • SigV4 signing reproduces botocore byte for byte for a fixed KMS Encrypt request: canonical request, payload hash, string to sign, the kDate/kRegion/kService/kSigning chain, and the final signature all match. An independent HMAC-SHA256 recomputation agrees.
  • KMS Encrypt/Decrypt round trip against a mock KMS (moto) wraps a 32-byte key and unwraps it back to the original over HTTPS. This is the envelope operation the provider runs inside get/store.

I've pushed a "Prototype: SigV4 and the KMS round trip are de-risked" subsection to design/aws-kms-provider.md under Implementation approach recording this. It narrows the hand-roll-vs-aws-c-auth open question to credential resolution only; the KMS protocol and signing are cheap to hand-roll with the libraries already linked.

Still awaiting decisions on the open questions before implementing v1: (1) v1 storage local file vs Secrets Manager, (2) whether IRSA is needed day one for EKS, (3) hand-roll credentials vs link aws-c-auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants