diff --git a/menu/navigation.json b/menu/navigation.json index 5c15ffe0e2..632aa2c14c 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -510,6 +510,10 @@ "label": "Understanding Key Manager", "slug": "understanding-key-manager" }, + { + "label": "Understanding Key Manager cryptography", + "slug": "cryptographic-details-key-manager" + }, { "label": "Differences between Key Manager and Secret Manager", "slug": "differences-key-and-secret-manager" diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index a463656107..a5a15d4bb4 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -1,16 +1,16 @@ --- meta: - title: Cryptographic details of Scaleway Key Manager + title: Understanding Key Manager cryptography description: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations. content: - h1: Cryptographic details of Scaleway Key Manager + h1: Understanding Key Manager cryptography paragraph: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations. tags: key-manager security categories: - identity-and-access-management dates: - validation: 2025-05-12 - posted: 2025-05-12 + validation: 2025-05-23 + posted: 2025-05-23 --- ## Cryptographic primitives in Scaleway Key Manager @@ -25,7 +25,7 @@ Scaleway Key Manager uses a **C**ryptographically **S**ecure **P**seudorandom ** This CSPRNG is based on the ChaCha-based pseudorandom number generator provided by modern Linux kernels. It is seeded with high-entropy, unpredictable sources, such as: -- Timing variations from hardware events +- Timing variations from hardware events - True Random Number Generators (TRNGs), including the `RDSEED` and `RDRAND` instructions available on AMD64 processors @@ -57,8 +57,7 @@ To reduce the risk of key overuse, plaintext payloads are limited to a maximum s While Key Manager internally uses AES-256-GCM, this does not restrict users to the same algorithm for their data encryption keys (DEKs). We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms. Scaleway provides Tink integrations for Go and Python, which is the preferred integration method. - + - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) -