Merge pull request #871 from oracle-devrel/ios-kms-backup-14022024

Ios kms backup 14022024

Author: oheimburger

security/security-design/shared-assets/kms-backup/.gitignore

@@ -0,0 +1,166 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+##
+## Project files
+kms_backup.json
+kms_restore.json
+kms_print.json
+

security/security-design/shared-assets/kms-backup/LICENSE

@@ -0,0 +1,35 @@
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

security/security-design/shared-assets/kms-backup/README.md

@@ -0,0 +1,161 @@
+# OCI Vault software key backup
+
+Owner: Inge Os
+
+OCI Vault supports several types of keys: HSM-based and software-based.
+
+Most services in Oracle OCI with encryption offer two types of encryption key management, Oracle-managed keys or Customer-managed keys.
+
+Some common main requirements most often seen in various cyber security frameworks typically are:
+-	Separation of Duty, key administration is separated from service management. Typical for Oracle Databases with Transparent Data Encryption the DBA function does not have access to manage the keys, only to read and use them.
+-	The Master key shall not be stored in any filesystem shared with the encrypted resource. Again, for using the Oracle Database with TDE as an example, the default key management with TDE is to use an Oracle Wallet stored in the same filesystem as the Oracle software installation.
+-	To meet these requirements and to have a robust operations model for key management, Oracle offers Oracle Key Vault.
+
+Oracle Key Vault offers two main categories of key management:  
+- HSM-based, with a FIPS compliant Hardware Security Module  
+- Software-based, where the key is not stored in an HSM, but still protected with the strong tenant isolation and ops isolation that is the cornerstone of Oracle OCI.  
+
+The main difference between HSM-based Vaults and Software-based is that the HSM-based prohibits explicit export of the master key. HSM-based key storage offers HA and DR, including cross-region replication, slightly dependent on the type of HSM service deployed.
+
+Software-based Key Vault does not offer cross-region replication.  
+The main purpose of this asset is to provide an example Python script that demonstrates the usage of the Python KMS SDK, an example of OCI Vault software key backup/restore between two regions.  
+
+## Prerequisites
+
+- The script may be run from the Cloud Shell, or from a Linux/Windows environment
+- Python 3.0
+- Create a virtual environment
+
+```
+[user]$ python -m venv ocienv
+[user]$ source ocienv/bin/activate
+```
+- Install Oracle OCI CLI, if not run off Cloud Shell
+  
+Please refer to the OCI install guide.
+  
+[CLI Installation Guide](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm)
+
+  
+- Install Python SDK into your virtual environment
+
+```
+[user]$ pip install oci
+```
+
+- Configure OCI profiles and verify the OCI SDK
+Configure the OCI CLI with an API key (may be the same) for source and target. Please refer to the OCI CLI documentation for creating an OCI environment file. 
+
+  
+[OCI File Configuration]( https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliconfigure.htm)
+
+  
+The OCI CLI configuration may be verified with the following command:
+
+```
+[user]$ oci os ns get --profile myprofile
+{
+  "data": "<your namespace>"
+}
+```
+
+- A valid public key for export only
+
+- Create and/or Check IAM Policies to permit key reading, inspection, and creation. 
+
+Permission to `manage` the following types of resources in your Oracle Cloud Infrastructure tenancy: `vaults`, `keys`, `secret-family` 
+Example policies:
+```
+Allow group SecurityAdmins to manage vaults in tenancy
+
+Allow group SecurityAdmins to manage keys in tenancy
+
+Allow group SecurityAdmins to manage secret-family in tenancy
+```
+[Policy Reference, Vault](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/commonpolicies.htm#sec-admins-manage-vaults-keys)
+
+
+If you don't have the required permissions and quota, contact your tenancy administrator. See [Policy Reference](https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm), [Service Limits](https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm), [Compartment Quotas](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcequotas.htm).
+
+## Script execution
+
+The script requires a number of arguments. The arguments vary depending on the script execution. All or some arguments can be submitted as a configuration file in JSON format or at the command line. Any command-line argument overwrites any arguments from the configuration file,
+
+The script has two modes of operation:
+1)	Export a key, save it to a file, and print the fingerprint, used for verification of a key
+2)	Copy the key between two locations where tenant OCID, region, and API Key are required.
+
+A key in the vault may have several versions, and you may specify the OCID of a given version for both export and copy of the key. If no key version is specified, the most recent key is exported.
+
+The script checks if the key is Enabled and is of type SOFTWARE before any export is attempted.
+
+##  Configuration parameters/arguments
+
+ociconfig path to OCI configuration file  
+source_ociprofile Source profile in oci config  
+source_region Source Region  
+source_compartment Source Compartment  
+source_vault Source vault OCI  
+source_keyname Source Key Name, if search for key  
+source_key_ocid Source key OCID if search for OCID  
+source_key_version OCID of a specific key version, if not set pick latest version  
+  
+target_region Target Region  
+target_compartment Target Compartment  
+target_vault Target Vault OCID  
+target_ociprofile Target profile in oci config  
+target_keyname Target keyname, the copy will be created with this name  
+  
+exportonly only save to file or print  key, don't backup  
+wrapping_pubkey_file If it supplied filepointer  external key for wrapping  
+outputfile File for the exported key  
+
+## Example execution
+Example export
+```
+python kms_key_backup.py --configfile kms_backup.json --target_keyname test1 --source_key_ocid ocid1.key.oc1.eu-frankfurt-1.xxxxxx --exportonly --wrapping_pubkey_file export_pub.pem --source_key_version ocid1.keyversion.oc1.eu-frankfurt-1.qwertyqwerty
+```
+with configfile:
+```
+{
+    "ociconfig":"/home/myhome/.oci/config",
+    "source_ociprofile":"my-config-fra",
+    "source_region" : "eu-frankfurt-1",
+    "source_compartment" : "ocid1.compartment.oc1..aaaaaaaa",
+    "source_vault" : "ocid1.vault.oc1.eu-frankfurt-1.aaaeeeqqqlllaleaeqlr",
+    "wrapping_algorithm" :  "RSA_OAEP_AES_SHA256"
+}
+```
+Example backup
+```
+python kms_key_backup.py --configfile kms_backup.json --target_keyname test2 --source_key_ocid ocid1.key.oc1.eu-frankfurt-1.eeeeaaaaaaa  --source_key_version ocid1.keyversion.oc1.eu-frankfurt-1.qfqfqfqfqfaeaea
+```
+with configfile:
+```
+{
+    "ociconfig":"/home/myhome/.oci/config",
+    "source_ociprofile":"my-config-fra",
+    "source_region" : "eu-frankfurt-1",
+    "source_compartment" : "ocid1.compartment.oc1..aaaaaaaa",
+    "source_vault" : "ocid1.vault.oc1.eu-frankfurt-1.aaaeeeqqqlllaleaeqlr",
+    "source_key_ocid" : "ocid1.key.oc1.eu-frankfurt-1.sxesxesxesxe",
+    "target_region" : "eu-stockholm-1",
+    "target_compartment" : "ocid1.compartment.oc1..aaaaaaaa",
+    "target_vault" : "ocid1.vault.oc1.eu-stockholm-1.qewuroewrre",
+    "target_ociprofile":"my-config-ams",
+    "wrapping_algorithm" :  "RSA_OAEP_AES_SHA256"
+}
+```
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
+
+