Scenario
There are a variety of users who will need to encrypt their durable state using encryption keys they control. While it's possible to do this directly in the storage layer, it may be beneficial to support this directly in the API layer. The most natural way to do this is to use the DataConverter interface.
One challenge will be with how to deal with key rotation. For example, what happens if an orchestration can run for up to 1 year, but a company has a key rotation policy of 30 days? Do we require that old keys be kept around to decrypt old state, or do we create a mechanism for re-encrypting all orchestration state so that old keys can be fully decommissioned? These are some of the challenges that the sample should try to address.
Besides creating a reference for users to follow, one of the other outcomes could be changes to the API surface.
Scenario
There are a variety of users who will need to encrypt their durable state using encryption keys they control. While it's possible to do this directly in the storage layer, it may be beneficial to support this directly in the API layer. The most natural way to do this is to use the
DataConverterinterface.One challenge will be with how to deal with key rotation. For example, what happens if an orchestration can run for up to 1 year, but a company has a key rotation policy of 30 days? Do we require that old keys be kept around to decrypt old state, or do we create a mechanism for re-encrypting all orchestration state so that old keys can be fully decommissioned? These are some of the challenges that the sample should try to address.
Besides creating a reference for users to follow, one of the other outcomes could be changes to the API surface.