Better key management using tang/clevis

[clauderobi]

As it is the case for most, if not all, security solution, managing the key is crucial.

Looking at his solution I see that the running / deployment infrastructure needs to have access to the private key. It would be better for the sake of security, that the private key is not seen by the infrastructure. tang offers just that!

It is way too long to go into the details here but are the maintainers open at considering adding tang/clevis support?

[stefanberger]

It is way too long to go into the details here but are the maintainers open at considering adding tang/clevis support?

We have pkcs11 support as well. If you want to send a PR and test case, sure!

[clauderobi]

I am not a go programmer so that would be a steep curve... But before, is there any "plugin" where the actual encryption / decryption would be handed out to an external program that returns / accepts as JWE?

[stefanberger]

This keyprovider here is used by the test suite in this project for key wrapping and unwrapping: https://github.com/lumjjb/simple-ocicrypt-keyprovider/blob/main/main.go

If you want to go by a standard I would still point you to pkcs11. It's supported by HSMs for example.

[salrashid123]

incase it helps, here are two implementations where the key is either in GCP KMS or on a TPM.

these are dicrect calls vs going through a stadard pkcs interface (which is more portable but requires a bit more setup)

https://github.com/salrashid123/ocicrypt-tpm-keyprovider

https://github.com/salrashid123/ocicrypt-kms-keyprovider