Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit adds a new CLI command: ``` kes tool migrate Usage: kes tool migrate [options] [<pattern>] Options: --from <PATH> Path to the configuration file of the server that should be migrated --to <PATH> Path to the configuration file of the server that is the migration target -f, --force Migrate keys even if a key with the same name exists at the target. The existing keys will be deleted --merge Merge the source into the target by only migrating those keys that do not exist at the target -q, --quiet Don't print migration progress and statistics. -h, --help Show list of command-line options Examples: $ kes tool migrate --from kes-vault.yml --to kes-aws.yml ``` With the `kes tool migrate` command it is possible to move some/all keys from one KMS backend (e.g. Hashicorp Vault) to another KMS backend (e.g. AWS SecretsManager). However, the command does not use a KES server, and therefore, does not require a running source nor destination KES server instance. Instead, `kes tool migrate` consumes two KES config files (for the source and the target) and then migrates the keys by directly talking to the KMS backends specified in the config files. This approach has the following implications: - Since `kes tool migrate` operates directly on the KMS backends it does not require a running KES instance as source nor as target. - The KES server does not have to provide an API to extract keys. Such an API would be an interesting target for attacks since it would allow an successful attacker to copy all keys from the KMS. Therefore, we tried to avoid implementing such an API. - The `kes tool migrate` command has to be run on a machine that can reach the source KMS as well as the target KMS.
- Loading branch information