Skip to content

docs: Address KMS keyring on-encrypt issues #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 19, 2020
Merged

docs: Address KMS keyring on-encrypt issues #74

merged 6 commits into from
Mar 19, 2020

Conversation

mattsb42-aws
Copy link
Member

Issue #, if available:
resolves: #73

Description of changes:
This resolves the discrepancies found between the intent of KMS keyring behavior and configuration and the spec and adds a description of that intent.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

lavaleri
lavaleri reviewed Mar 16, 2020
View reviewed changes
framework/kms-keyring.md Outdated

However, if the keyring attempts to decrypt using CMK C and cannot,
this failure still honors the configured intent and MUST NOT halt decryption.
The configured intent is that they keyring MUST *attempt* with these CMKs,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would try to make it a bit more clear that these CMKs refers to the CMKs configured with this keyring, not "CMK A, B, and C". Maybe make this more clear by explicitly giving the example of "If you configure the KMS keyring for decrypt with CMKs C, D, E" or something like that? Or is that more confusing?

WesleyRosenblum
WesleyRosenblum reviewed Mar 17, 2020
View reviewed changes
seebees
seebees reviewed Mar 17, 2020
View reviewed changes
MatthewBennington
MatthewBennington suggested changes Mar 17, 2020
View reviewed changes
framework/kms-keyring.md
they are stating their intent that they need each one of those CMKs to be able to
independently decrypt the resulting encrypted message.

For example, if a user configures a KMS keyring with CMKs A, B, and C
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO There should be a separate "Example Behaviors" section.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel that would be distracting in this particular case. What I'm trying to do here is demonstrate how this intent manifests as a "show by example" means of explaining the behavior.

framework/kms-keyring.md
For example, if a user configures a KMS keyring with CMK C
and uses it to decrypt an encrypted message
that contains encrypted data keys for CMKs A, B, and C,
then the keyring will attempt to decrypt using CMK C.
Copy link
Contributor

@MatthewBennington MatthewBennington Mar 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only true if the string identifying the CMK is a well-formed key ARN.

This was referenced Mar 17, 2020
Closed
Closed
Open
mattsb42-aws and others added 4 commits March 17, 2020 12:18
@mattsb42-aws @WesleyRosenblum
fix: Apply suggestions from code review
2b31523 
Co-Authored-By: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
@mattsb42-aws
docs: rework framing of client supplier and explicitly state requirem…
8770eb8 
…ent to communicate inability to supply client
@mattsb42-aws
doc: clarify that KMS keyring MUST NOT modify encryption materials if…
270e498 
… any CMKs fail on encrypt
@mattsb42-aws
docs: clarify that decrypt CMK ID needs a CMK ARN
e1f40e5
seebees
seebees approved these changes Mar 18, 2020
View reviewed changes
Copy link
Contributor

@seebees seebees left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@mattsb42-aws mattsb42-aws merged commit 7331210 into awslabs:master Mar 19, 2020
@mattsb42-aws mattsb42-aws deleted the dev-73-reorg branch March 19, 2020 19:54
@mattsb42-aws mattsb42-aws mentioned this pull request Apr 1, 2020
Closed
josecorella added a commit that referenced this pull request Jun 7, 2023
@josecorella
refactor: update keystore and hkeyring spec (#74)
7eb0e91
josecorella added a commit that referenced this pull request Jun 7, 2023
@josecorella
refactor: update keystore and hkeyring spec (#74)
6b58a31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seebees seebees seebees approved these changes

+3 more reviewers

@MatthewBennington MatthewBennington MatthewBennington approved these changes

@lavaleri lavaleri lavaleri approved these changes

@WesleyRosenblum WesleyRosenblum WesleyRosenblum approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS KMS keyring encrypt behavior is incorrect
5 participants
@mattsb42-aws @seebees @MatthewBennington @lavaleri @WesleyRosenblum