Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of keyring: support external KMS for key encryption key (KEK) into release/1.8.x #23620

Merged
merged 2 commits into from
Jul 18, 2024
Merged

Backport of keyring: support external KMS for key encryption key (KEK) into release/1.8.x #23620

merged 2 commits into from
Jul 18, 2024

Commits on Jul 18, 2024

  1. keyring: support external KMS for key encryption key (KEK) (#23580) 

    In Nomad 1.4.0, we shipped support for encrypted Variables and signed Workload
Identities, but the key material is protected only by a AEAD encrypting the
KEK. Add support for Vault transit encryption and external KMS from major cloud
providers. The servers call out to the external service to decrypt each key in
the on-disk keystore.

Ref: https://hashicorp.atlassian.net/browse/NET-10334
Fixes: #14852
    @tgross
    tgross committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    8a62a3e View commit details
    Browse the repository at this point in the history

  2. deps: update go-kms-wrapping and Azure SDK 

    I'm pulling this out to a shared PR between the two, because it'll make
backporting easier.

Closes: #23621
Closes: #23589
    @tgross
    tgross committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    003c198 View commit details
    Browse the repository at this point in the history