Epic: configured CryptoProvider enhancements/hardening #1183
Comments
|
@dmihalcik-virtru Jake and I were discussing how an admin would manage the cryptoprovider when we look at supporting clickops. Currently, they would have to update the config or update the Envs. Do you have any thoughts about this you'd like to add? |
|
Related to #1254 |
|
@jakedoublev @strantalis @dmihalcik-virtru let's collaborate on this. We're seeing a number of areas where we need key material apart from KAS. It seems that cryptoprovider needs to be part of the core to support the various usecases. |
|
@jrschumacher It looks like @dmihalcik-virtru did some work around this in the past few weeks: #1834 |
|
yes, I have a modified version of the |
Background
At present, the
server.cryptoProviderin the platform config is used primarily for management of KAS keys. However, the platform engages with other sensitive cryptographic and crypto-adjacent materials (keys of varied types for other services, tokens, TLS certs, HSM information, etc).Rather than spreading configuration of varying crypto-related values across the service configs, we should enhance and centralize the
cryptoProviderconfig interface to make it extensible to n number of keys and key types across n number of services, and let each service do its own validation/panic that it has the cryptographic material it requires.Centralizing sensitive config will make administration of a platform and development on top of it both easier.
Acceptance Criteria
TODO
The text was updated successfully, but these errors were encountered: