Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cmd/kes: add support for migrating keys to minkms
This commit adds support for migrating keys to minkms via the `kes migrate` command. Migrating all keys of a KES backend to a MinKMS server can be done as following: ``` kes migrate --from src-config.yml --server 127.0.0.1:7373 --enclave minio --api-key k1:... ``` Currently, this implementation has the following limitations: - The HMAC key is not migrated. This requires support from MinKMS. However, HMAC keys are not used for S3 object encryption and have been added to KES recently. - Ciphertexts produced by KES cannot be decrypted auto. because they lack the key version prefix (e.g. 'v1:'). Future KES servers may use ciphertexts with key versions and MinKMS may accept a ciphertext without one. Signed-off-by: Andreas Auernhammer <github@aead.dev>
- Loading branch information