cfba1c1ba8
This patch changes the `kek` option for the Simple Crypto Plugin to allow more than one KEK to be specified. When more than one KEK is configured, the first KEK is used to encrypt new data and any additiona KEKs are only used to decrypt existing data. This change allows for rotating in new KEKs on demand. Change-Id: I0c3683e316e78478461f5f30f4f353ff43a3bb09
19 lines
824 B
YAML
19 lines
824 B
YAML
---
|
|
security:
|
|
- |
|
|
The configuration for Simple Crypto Plugin has been updated to allow more
|
|
than one Key-Encryption-Key (KEK) to be defined. This enables the ability
|
|
to rotate in new KEKs on demand. If there is more than one KEK specified
|
|
in the config file, then the first KEK is considered "active", which means
|
|
it will be used to encrypt any new Project-specific KEKs. Any additional
|
|
KEKs will only be used to decrypt existing pKEKs when necessary. .e.g.
|
|
|
|
.. code-block::
|
|
|
|
[simple_crypto_plugin]
|
|
# First key is used for ecnrypting new data
|
|
kek = Yl1EKQ5e4VpK3X7lbWF249GDsk0mrL929P-Mnnz-bdc=
|
|
# Additionak keys used for decrypting existing data
|
|
kek = AfXmy1NEfzmtJEYVGrQJ0C2-dr8S0lFoNBX5Vb7MC44=
|
|
kek = Ua4Y8ryfamShYT_TzxSjok9Tl11OWFSk3whOSY-TIaw=
|