cmd/kes: add support for migrating keys to minkms · minio/kes@5dd424c

Commit

cmd/kes: add support for migrating keys to minkms

This commit adds support for migrating keys to minkms
via the `kes migrate` command. Migrating all keys
of a KES backend to a MinKMS server can be done as following:
```
kes migrate --from src-config.yml --server 127.0.0.1:7373 --enclave minio --api-key k1:...
```

Currently, this implementation has the following limitations:
 - The HMAC key is not migrated. This requires support from MinKMS.
   However, HMAC keys are not used for S3 object encryption and have
   been added to KES recently.
 - Ciphertexts produced by KES cannot be decrypted auto. because they
   lack the key version prefix (e.g. 'v1:'). Future KES servers may
   use ciphertexts with key versions and MinKMS may accept a ciphertext
   without one.

Signed-off-by: Andreas Auernhammer <github@aead.dev>

Loading branch information

aead committed Jun 6, 2024

1 parent fe54489 commit 5dd424c

cmd/kes/main.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -71,7 +71,7 @@ func main() { @@
     		"status": statusCmd,
     		"metric": metricCmd,
-    		"migrate": migrateCmd,
+    		"migrate": migrate,
     		"update":  updateCmd,
     	}
@@ Expand Down @@

0 comments on commit `5dd424c`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `5dd424c`

Commit

There are no files selected for viewing

0 comments on commit 5dd424c

0 comments on commit `5dd424c`