使用 BYOK 解决方案使用 GCP_KMS 管理密钥轮换
[英]Managing key rotations with GCP_KMS with BYOK solution
问题描述
We have RSA key pairs generated on on-prem and plan to sync them to GCP-KMS.
我们在本地生成了 RSA 密钥对,并计划将它们同步到 GCP-KMS。 There is an yearly key rotation policy which would be done on on-prem and new key_versions would be synced to KMS.每年一次的密钥轮换政策将在本地完成,新的 key_versions 将同步到 KMS。 My concern is with the KMS API.我关心的是 KMS API。
Problem: The API always asks for the 'key_version' as an argument to encrypt/decrypt a file.问题:API 总是要求“key_version”作为加密/解密文件的参数。
Desired behaviour: During decryption, is it not possible that the KMS sees the certificate thumbprint and returns the appropriate key version to decrypt a given encrypted file?期望的行为:在解密过程中,KMS 是否不可能看到证书指纹并返回适当的密钥版本来解密给定的加密文件? eg a DEK wrapped with the RSA_public when supplied to KMS gets decrypted by the RSA_Private(or KEK) of the correct version.例如,当提供给 KMS 时,用 RSA_public 封装的 DEK 会被正确版本的 RSA_Private(或 KEK)解密。
If yes, is there any documentation that elaborates on this use case?如果是,是否有详细说明此用例的文档?
1 个解决方案
解决方案1
0 已采纳 2021-10-06 19:28:04
According to the documentation, you can achieve that with symmetric signature (no key version specified), but you can't with the asymetricDecrypt (key version is required in the URL path of the API )根据文档,您可以使用对称签名(未指定密钥版本)实现,但不能使用 asymetricDecrypt(API 的URL 路径中需要密钥版本)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.