You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/key-manager/reference-content/cryptographic-details-key-manager.mdx
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,9 @@ dates:
13
13
posted: 2025-05-12
14
14
---
15
15
16
-
## Cryptographic primitives
16
+
## Cryptographic primitives in Scaleway Key Manager
17
+
18
+
This page provides information on the core cryptographic mechanisms used by Key Manager. It explains how cryptographic keys are generated, managed, and used to encrypt data. Key Manager uses cryptographic mechanisms in compliance with cryptographic guidelines issued by [France's national cybersecurity agency](https://cyber.gouv.fr/) in the ANSSI-PA-079 recommendations. to ensure the confidentiality and integrity of customer data.
17
19
18
20
### Random number generation
19
21
@@ -27,19 +29,19 @@ This CSPRNG is based on the ChaCha-based pseudorandom number generator provided
27
29
- True Random Number Generators (TRNGs), including the `RDSEED` and `RDRAND` instructions available on AMD64 processors
28
30
29
31
<Messagetype="note">
30
-
Complies with ANSSI-PA-079 Recommendation R14.
32
+
The section above is in compliance with [ANSSI-PA-079 Recommendation R14](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf), which mandates the use of a cryptographically secure and appropriately seeded pseudorandom generator for key and IV material.
31
33
</Message>
32
34
33
35
<Messagetype="important">
34
-
The information in the section above does not apply to keys imported via the Bring Your Own Key (BYOK) mechanism.
36
+
The information above applies only to keys generated by Key Manager. If you import a key using the Bring Your Own Key (BYOK) mechanism, these safeguards are not applied to your key material.
35
37
</Message>
36
38
37
39
38
40
#### Customer-provided KEKs (BYOK)
39
41
40
42
Scaleway Key Manager supports Bring Your Own Key (BYOK), allowing customers to import their own key material. In this model, Scaleway does not generate keys on behalf of the customer. Instead, the responsibility for generating strong key material lies with the user.
41
43
42
-
Imported key material is is not used directly, but processed using the **HKDF algorithm with SHA-256** as the hash function, incorporating secure random bytes as salt.
44
+
To protect against direct reuse, imported key material is not used directly. Instead, it is processed using the HKDF algorithm (HMAC-based Key Derivation Function) with SHA-256 as the hash algorithm, incorporating secure random bytes added as a salt value.
43
45
44
46
### Symmetric encryption
45
47
@@ -48,7 +50,7 @@ Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Coun
48
50
To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above.
49
51
50
52
<Messagetype="note">
51
-
Complies with ANSSI-PA-079 Recommendations R1, R4, and R12.
53
+
The section above is in compliance with [ANSSI-PA-079 Recommendations R1, R4, and R12] regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), and payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details.
0 commit comments