Skip to content

Commit e9859ff

Browse files
committed
Start crypto changes details
Signed-off-by: Monis Khan <[email protected]>
1 parent a508533 commit e9859ff

File tree

1 file changed

+34
-0
lines changed
  • keps/sig-auth/3299-kms-v2-improvements

1 file changed

+34
-0
lines changed

keps/sig-auth/3299-kms-v2-improvements/README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -345,6 +345,40 @@ sequenceDiagram
345345
kms_plugin->>kube_api_server: return encrypt response <br/> {"ciphertext": "<encrypted DEK>", key_id: "<remote KEK ID>", "annotations": {}}
346346
```
347347

348+
#### Cryptography details
349+
350+
```mermaid
351+
stateDiagram-v2
352+
KEK
353+
note right of KEK
354+
accessed via plugin
355+
end note
356+
KEK --> DEK_seed: encrypts
357+
DEK_seed --> etcd: EDEK_seed stored
358+
```
359+
360+
```mermaid
361+
stateDiagram-v2
362+
etcd_path
363+
note left of etcd_path
364+
unique per object in etcd
365+
/PATH_PREFIX/secrets/NAMESPACE/NAME
366+
end note
367+
resource
368+
note right of resource
369+
stored as
370+
info|nonce|encrypted_seed|ciphertext
371+
end note
372+
DEK_seed --> hkdf_expand: pseudo random key
373+
sha256 --> hkdf_expand: hash
374+
rand_nonce_32 --> hkdf_expand: info param
375+
hkdf_expand --> DEK: generates
376+
DEK --> aes_gcm: key
377+
rand_nonce_12 --> aes_gcm: nonce
378+
etcd_path --> aes_gcm: additional_data
379+
aes_gcm --> resource: encrypts
380+
```
381+
348382
### Test Plan
349383

350384
[x] I/we understand the owners of the involved components may require updates to existing tests to make this code solid enough prior to committing the changes necessary to implement this enhancement.

0 commit comments

Comments
 (0)