From 10b521c93c566b39b0f2ee954217f30b4f5b179f Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Tue, 10 Dec 2024 15:52:44 +0100 Subject: [PATCH 1/8] docs(key-manager): add doc --- faq/key-manager.mdx | 69 +++++ .../api-cli/create-dek-api-cli.mdx | 79 ++++++ .../key-manager/api-cli/index.mdx | 8 + .../api-cli/manage-keys-with-tink.mdx | 263 ++++++++++++++++++ .../api-cli/rotate-keys-api-cli.mdx | 106 +++++++ .../use-streaming-aead-tink-key-manager.mdx | 208 ++++++++++++++ .../key-manager/concepts.mdx | 97 +++++++ .../key-manager/how-to/create-km-key.mdx | 38 +++ .../key-manager/how-to/delete-key.mdx | 34 +++ .../key-manager/how-to/disable-key.mdx | 33 +++ .../key-manager/how-to/index.mdx | 8 + .../key-manager/how-to/manage-dek.mdx | 44 +++ .../key-manager/how-to/rotate-keys.mdx | 32 +++ .../key-manager/index.mdx | 81 ++++++ .../key-manager/quickstart.mdx | 20 ++ .../differences-key-and-secret-manager.mdx | 62 +++++ .../security-recommendations.mdx | 48 ++++ .../understanding-key-manager.mdx | 60 ++++ 18 files changed, 1290 insertions(+) create mode 100644 faq/key-manager.mdx create mode 100644 identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx create mode 100644 identity-and-access-management/key-manager/api-cli/index.mdx create mode 100644 identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx create mode 100644 identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx create mode 100644 identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx create mode 100644 identity-and-access-management/key-manager/concepts.mdx create mode 100644 identity-and-access-management/key-manager/how-to/create-km-key.mdx create mode 100644 identity-and-access-management/key-manager/how-to/delete-key.mdx create mode 100644 identity-and-access-management/key-manager/how-to/disable-key.mdx create mode 100644 identity-and-access-management/key-manager/how-to/index.mdx create mode 100644 identity-and-access-management/key-manager/how-to/manage-dek.mdx create mode 100644 identity-and-access-management/key-manager/how-to/rotate-keys.mdx create mode 100644 identity-and-access-management/key-manager/index.mdx create mode 100644 identity-and-access-management/key-manager/quickstart.mdx create mode 100644 identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx create mode 100644 identity-and-access-management/key-manager/reference-content/security-recommendations.mdx create mode 100644 identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx diff --git a/faq/key-manager.mdx b/faq/key-manager.mdx new file mode 100644 index 0000000000..61f75d75ae --- /dev/null +++ b/faq/key-manager.mdx @@ -0,0 +1,69 @@ +--- +meta: + title: Key Manager FAQ + description: Explore Scaleway Key Manager with our comprehensive FAQ covering security, key types, and more. +content: + h1: Key Manager +dates: + validation: 2024-12-09 +category: identity-and-access-management +productIcon: KeyManagerProductIcon +--- + +## Why should you use Scaleway Key Manager? + +Key Manager helps organizations achieve secure key management by handling low-level and error-prone cryptographic details for you. + + +## What features does Scaleway Key Manager include? + +Scaleway Key Manager allows you to create, manage and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys. + +## Which management methods can I use with Key Manager? + +Key Manager allows you to create and manage the complete lifecycle of a key. Below are all the ways you can use Key Manager to manage your data. + +### Create a key: + +You must specify a **key usage**, which defines the **purpose of the key** (encryption, signing, etc.) and which **cryptographic algorithm** will be used to derive the key. Upon key creation, a first key version is also automatically created. + +### Retrieve a key: + +Retrieving a key **only returns the metadata associated with the key**. The key versions will not be returned when retrieving a key. + +### List keys: + +You can retrieve a subset of your keys according to filters such as "name", "description", "tags", etc. + +### Update a key: + +You can update the key's name, description or tags at any time. + +### Enable and disable key protection: + +**Enabling key protection prevents any accidental deletion of a key**. You must disable key protection before deleting a key to which key protection is applied. + +### Rotate a key: + +Rotating a key **creates a new key version and makes all previous versions obsolete**. + +### Delete a key: + +Deleting a key also **deletes all its versions**. + + +## Which cryptographic operations does Key Manager support? + +At the moment, Scaleway's Key Manager supports the three following cryptographic operations. + +| Encryption | Decryption | Data encryption key generation | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Encrypt data using the latest version of the Key Manager key. The encryption algorithm used is the one defined when setting the key usage. Only keys with a usage set to `symmetric_encryption` are supported by this method. The input data is arbitrary, but this endpoint should only be used only to encrypt data encryption keys, not actual payloads. [Find out how to encrypt and decrypt payloads using The Scaleway Tink provider](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink) | This operation lets you decrypt an encrypted payload. **The only way to decrypt an encrypted payload is by using the `Decrypt` endpoint. Since key versions never leave Key Manager, there is no other way to decrypt data outside Key Manager.** A payload encrypted with an older key version can still be decrypted. In this case, for convenience, the payload encrypted with the latest key version will be returned, along with the decrypted payload. | Generate a symmetric [data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-(dek)) (DEK) that can be used outside Key Manager to encrypt and decrypt payloads. This DEK is encrypted with a key encryption key, specified by the caller. **The management of the DEK is the responsibility of the caller. The DEK should be stored safely and have the same lifecycle as the payload it encrypts.** | + +## Which algorithms and key usage does Key Manager support? + +Key Manager **only supports symmetric encryption as of yet**. + +Keys with a [key usage](/identity-and-access-management/key-manager/concepts/#key-usage) set to `symmetric_encryption` are **used to encrypt and decrypt data**. + +Key Manager currently **only supports the `AES-256-GCM` key algorithm**. Refer to our [dedicated documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to find out which parameters (in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques)) are used when creating and using a key with the `AES-256 GCM` [symmetric encryption](/identity-and-access-management/key-manager/concepts/#symmetric-encryption) algorithm. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx new file mode 100644 index 0000000000..8b0c224cf5 --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx @@ -0,0 +1,79 @@ +--- +meta: + title: Create a data encryption key using the Scaleway API and the Scaleway CLI + description: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. +content: + h1: Create a data encryption key using the Scaleway API and the Scaleway CLI + paragraph: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. +tags: key-management dek data-encryption-key cli sdk api encryption +categories: + - identity-and-access-management +dates: + validation: 2024-12-09 + posted: 2024-12-09 +--- + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Created a key encryption key either from the [Scaleway console](/identity-and-access-management/key-manager/how-to/create-km-key) or the [Key Manager API](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-create-a-key) +- Retrieved your key encryption key's ID +- Created an [API key](/identity-and-access-management/iam/how-to/create-api-keys/) +- Downloaded and configured the [Scaleway CLI](https://github.com/scaleway/scaleway-cli?tab=readme-ov-file#getting-started) + +## Generate a DEK using the Scaleway CLI + +1. Open a terminal and paste the following commands to export your environment variables. Make sure that you replace the placeholder values with your own. + ```bash + export SCW_ACCESS_KEY= + export SCW_SECRET_KEY= + export SCW_DEFAULT_ORGANIZATION_ID= + export SCW_PROJECT_ID= + export SCW_DEFAULT_REGION="fr-par" + export SCW_API_URL="https://api.scaleway.com" + ``` + +2. Paste the following command to generate a data encryption key via the Scaleway CLI. Make sure that you replace `` with the ID of your key encryption key. + ```bash + scw keymanager key generate-data-key key-id= algorithm=aes_256_gcm + ``` + +An output similar to the following should display: + ```bash + KeyID + Algorithm + Ciphertext + Plaintext + CreatedAt + ``` + + +## Generate a DEK using the API + +Paste the following command to create your data encryption key via the Key Manager API. Make sure that you replace the placeholder values with your own. + ```bash + curl --location 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys//generate-data-key' \ + --header 'Content-Type: application/json' \ + --header 'X-Auth-Token: ' \ + --data '{ + "algorithm": "aes_256_gcm" + }' + ``` + +Key Manager also supports the `GenerateDataKey` request without a plaintext operation, which only returns an encrypted data encryption key. + +If you need to use your DEK, you can decrypt it using the [Decrypt data operation](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-decrypt-data) specifying the `kek_id` parameter used to encrypt it. + +Key Manager **does not allow the use of data encryption keys for data encryption**. + +However, you can use the DEK independently from Key Manager, for example with the [Tink extension](/encrypt-decrypt-dek-/#encrypt-and-decrypt-data-with-tink-and-key-manager) or with [OpenSSL](/encrypt-decrypt-dek/#manually-encrypt-and-decrypt-data-with-a-key-manager-dek). + + +!!! info + + The way the KEK is generated, its length, and the encryption algorithm used, **cannot be changed or customized after creation**. + + However, unlike the KEK, you have the flexibility to choose any encryption algorithm (cipher) you prefer for encrypting and decrypting your data with the DEK. You are not restricted to a specific encryption method for the data itself. + + **We highly recommend that you use standard and well-established ciphers (and the proper mode), as well as a library like Tink, that chooses the right cryptosystem according to your use-case.** \ No newline at end of file diff --git a/identity-and-access-management/key-manager/api-cli/index.mdx b/identity-and-access-management/key-manager/api-cli/index.mdx new file mode 100644 index 0000000000..ee9c2480bf --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/index.mdx @@ -0,0 +1,8 @@ +--- +meta: + title: Key Manager - API/CLI Documentation + description: Key Manager API/CLI Documentation +content: + h1: API/CLI Documentation + paragraph: Key Manager API/CLI Documentation +--- diff --git a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx new file mode 100644 index 0000000000..719b52e32f --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx @@ -0,0 +1,263 @@ +--- +meta: + title: Using Tink with the Scaleway Key Manager + description: Discover essential concepts of Scaleway Key Manager and how to use it effectively with the Tink Go library +content: + h1: Using Tink with the Scaleway Key Manager + paragraph: Discover essential concepts of Scaleway Key Manager, including Key Encryption Keys and Data Encryption Keys +tags: key-manager encryption kms key-management-service cryptographic +dates: + validation: 2024-09-20 +--- + +This documentation page provides information on Key Manager Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs), and how to use them with the Tink Go library. + +Tink is an open-source library that helps you safely perform cryptographic operations, like encrypting data and managing encryption keys. It works well with different platforms and follows best practices for security. Tink also supports using remote keys right away. + +We suggest using Tink when working with Scaleway's Key Manager, especially with Go or Python. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Created and enabled a data encryption key (DEK) in your Key Manager +- A working Go environment +- Installed the [Scaleway Go SDK](https://github.com/scaleway/scaleway-sdk-go) with [valid credentials](/developer-tools/scaleway-sdk/go-sdk/) + + +## Installing the necessary tools + +Tink is a library that helps you perform encryption (securing data) and manage encryption keys. It can work with various key management services (KMS), including Scaleway's Key Manager. +To use Tink with Scaleway Key Manager, you need to install dependencies that let Tink interact with Key Manager. + +1. Open a terminal and run the following commands: + + ```shell + # Install Tink for Go + go get -u github.com/tink-crypto/tink-go/v2 + + # Install the Scaleway Tink extension + go get -u github.com/scaleway/tink-go-scwkms + ``` +2. Retrieve the ID (UUIDv4 format) of your Key Manager's key (KEK). +3. Copy the following template and paste it into a `.go` file: + + ```go + import ( + "github.com/scaleway/scaleway-sdk-go/scw" // Library that helps your Go program interact with Scaleway + "github.com/tink-crypto/tink-go/v2/aead" // Tink library + "github.com/scaleway/tink-go-scwkms/integration/scwkms" // Scaleway's Tink extension + ) + + const region = "" // Replace the placeholder with the region where your key is created + const keyID = "7f967268-bebb-43b0-9fe2-e13bd23bf421" // Replace the placeholder with the unique ID of your key encryption key + + keyURIPrefix := "scw-kms://regions/" + region + "/keys/" + keyURI := keyURIPrefix + keyID + + // Set up a connection to Scaleway + config, _ := scw.LoadConfig() // Loads your Scaleway configuration + profile, _ := config.GetActiveProfile() // Gets the active profile (your account settings) + + // Set up the connection to use your key in Key Manager + kms, _ := scwkms.NewClientWithOptions( + keyURIPrefix, + scw.WithProfile(profile), // Uses your account profile + scw.WithEnv(), // Uses environment settings + ) + // Prepare the key for encryption and decryption + kekAEAD, _ := kms.GetAEAD(keyURI) + ``` +4. Replace the placeholder values with your own. + + + The `kekAEAD` object represents the key in Scaleway’s Key Manager. It allows you to encrypt payloads and decrypt ciphertexts. + + +## Encrypting and decrypting data + +Paste the following code into a `.go` file. This file contains the data we will encrypt (`"Hello, World!"`), and the code to encrypt and decrypt it. + ```go + associatedData := []byte("") // Read the ## Associated data section for more information + secretData := []byte("Hello, World!") // Data we want to encrypt + + ciphertext, _ := kekAEAD.Encrypt(secretData, associatedData) // Encrypt the data + fmt.Println(ciphertext) // Print the encrypted data + + plaintext, _ := kekAEAD.Decrypt([]byte(ciphertext), associatedData) + fmt.Println(string(plaintext)) // Output: "Hello, World!" + ``` + + + While the code shown above functions as intended, this is not a recommended pattern and the following limitations apply: + - It is slow: since the key resides on Scaleway Key Manager, each encryption or decryption operation translates into a remote API call. + - The payload to encrypt is limited in size: Key Manager only allows up to 64 KiB. As a result, you will not be able to encrypt larger payloads with `kekAEAD`. + - You cannot choose the cipher and the algorithm that suit your use case, Key Manager handles that on your behalf. + + +## Understanding the difference between KEKs and DEKs + +**Key encryption key (KEK)**: This is a key (`kekAEAD`) used to encrypt other keys (DEKs, which protect your data), not the actual data. It stays secure in Scaleway Key Manager. + +**Data Encryption Key (DEK)**: This key is used to encrypt your actual data. Key Manager does not store or manage your DEK. A DEK is usually stored alongside the data it protects, and it is **always** stored encrypted (by the KEK). + +The KEK secures the DEK, and the DEK secures your data. This double-layer approach improves security. + + + - Your application is responsible for storing the encrypted DEKs alongside the encrypted data they protect. + - DEKs must **never** reside in plaintext. They must be encrypted by the remote KEK before being stored. + + +## Using Tink keysets as DEKs + +Tink does not handle single keys, it manages groups of keys called **keysets**, a set of related keys kept together with their metadata. We use the terms `key` and `keyset` interchangeably since we work with keysets containing only one key here. Tink can generate keys to be used with the desired algorithm and cipher. + +1. Run the following code to create a DEK using Tink and store it encrypted with your KEK, using the `AES256-GCM` algorithm. + + ```go + import "github.com/tink-crypto/tink-go/v2/keyset" // Import the package that provides functionalities to create, manage, and store keysets in Tink + + /* ... */ + /* ... */ + + handle, _ := keyset.NewHandle(aead.AES256GCMKeyTemplate()) // Generate an AES256-GCM key + associatedData := []byte("") + + f, _ := os.OpenFile("/path/to/encrypted_dek.tink", os.O_RDWR|os.O_CREATE, 0644) + defer f.Close() + w := keyset.NewBinaryWriter(f) + + // Serialize the keyset and encrypt it with the remote KEK, + handle.WriteWithAssociatedData(w, kekAEAD, associatedData) + ``` + + + + Check out the full list of supported algorithms and ciphers in the [Tink Go reference](https://pkg.go.dev/github.com/tink-crypto/tink-go/v2/aead) if you need to use another algorithm or cipher. We recommend that you stick with the `AES256-GCM` algorithm if you are unsure. + + + + Your encrypted DEK is now stored in `/path/to/encrypted_dek.tink`. + +2. Run the following code to read and use your encrypted DEK: + + ```go + // Load, deserialize, and decrypt the DEK with the remote KEK + f, _ := os.Open("/path/to/encrypted_dek.tink") + defer f.Close() + r := keyset.NewBinaryReader(f) + handle, _ := keyset.ReadWithAssociatedData(r, kekAEAD, associatedData) + + // Use the DEK represented by "primitive" to encrypt data. The primitive created from the DEK is used to encrypt a string ("This is a secret") into a ciphertext (secret1) + primitive, _ := aead.New(handle) + + secret1, _ := primitive.Encrypt([]byte("This is a secret"), dataAssociatedData1) + /* + * Store secret1 somewhere + */ + + secret2, _ := primitive.Encrypt([]byte("This is another secret"), dataAssociatedData2) + /* + * Store secret2 somewhere + */ + ``` + + Tink only provides methods that work on types that comply with `Reader` and `Writer` interfaces. If you need to write and read Tink keysets as direct bytes, you can use `bytes.Buffer`, which is an in-memory buffer used to hold the encrypted keyset. This allows you to serialize and deserialize keysets directly as byte arrays instead of using files. + + +3. Run the following command to store the DEK in memory as bytes: + + ```go + buf := new(bytes.Buffer) + w := keyset.NewBinaryWriter(buf) + handle.WriteWithAssociatedData(w, kekAEAD, associatedData) + encDEK := buf.Bytes() // encrypted DEK in Tink wire format + ``` + +You can then store the bytes of the encrypted DEK in a database for example, with the encrypted data it protects. For example, the encrypted data (enc_data) and the encrypted DEK (enc_dek) might be stored together in a row in a database (base64-encoded in the following example): + + ```console + SELECT id, enc_data, enc_dek FROM sensible_stuff; + + id | enc_data | enc_dek + -----|----------------------------|------------------- + 42 | "7NXIqRms0+TiKj+V0gv1s..." | "vIiYBeypb7Yk..." + 43 | "7X8v0GVrXWwL/ckzfRms0..." | "vIiYBeypb7Yk..." + ... + ... + ... + ``` + + +## Associated Data + +Associated Data (AD) is not encrypted, but it is authenticated. It must be the same when you encrypt and decrypt data, otherwise the decryption fails. This is useful to prevent reading the wrong data in the wrong context. In the table above, the data in both rows 42 and 43 is protected by the same DEK. If we swapped the data, an application would be able to decrypt the data from another row. But, by providing the intended ID as the associated data, the decryption would fail. + +### Encrypt data with AD before inserting it + +Run the following command to encrypt your data with `Associated Data`. In the example below, associated data like `id42` and `id43` is used to ensure that data from row 42 cannot be decrypted in the context of row 43. + + ```go + handle, _ := keyset.ReadWithAssociatedData(r, kekAEAD, dekAD) + primitive, _ := aead.New(handle) // Same DEK for the two payloads + + secret1, _ := primitive.Encrypt([]byte("This is a secret"), []byte("id42")) + // Insert secret1 into row 42 + + secret2, _ := primitive.Encrypt([]byte("This is another secret"), []byte("id43")) + // Insert secret2 into row 43 + ``` + +Associated Data does not need to be stored, as it can be infered from the context at decryption time. It is also possible to use a unique DEK for each payload. We recommend using Associated Data. + + +## Hierarchy of keys + +Unlike KEKs that reside and are managed by Key Manager, DEKs are free: you can generate and have as many as you want. + +However, your application still needs to call the Key Manager API: + + - At least once to encrypt a newly generated DEK before storing it, and + - Each time a DEK needs to be decrypted before use + +Thus, you can use a hierarchy of keys to minimize calls to the Key Manager API (or any remote key mangement service), which can slow down your application and incur charges. + +In the example below, the application only needs to call Key Manager once to decrypt the DEK Master Key. All subsequent decryption of DEKs happens locally, which improves efficiency. + +```go +// The DEK Master Key (which protects all other DEKs) is stored and protected by the remote KEK. +masterKeyFile, _ := os.Open("/path/to/encrypted_masterkey.tink") +masterKeyHandle, _ := keyset.ReadWithAssociatedData(masterKeyFile, kekAEAD, []byte("master-key-001")) // Call the API +masterKeyAEAD, _ := aead.New(masterKeyHandle) + +// DEK #1 encrypted and decrypted by the Master Key, rather than by the remote KEK directly. This avoids frequent API calls. +dek1File, _ := os.Open("/path/to/encrypted_dek1.tink") +dekHandle1, _ := keyset.ReadWithAssociatedData(dek1File, masterKeyAEAD, []byte("dek1")) // No call to the API + +// DEK #2 encrypted and decrypted by the Master Key, rather than by the remote KEK directly. This avoids frequent API calls. +dek2File, _ := os.Open("/path/to/encrypted_dek2.tink") +dekHandle2, _ := keyset.ReadWithAssociatedData(dek2File, masterKeyAEAD, []byte("dek2")) // No call to the API + + +// DEKs are used to encrypt and decrypt the actual data + +dek1AEAD, _ := aead.New(dekHandle1) +dek2AEAD, _ := aead.New(dekHandle2) + +ct1, _ := dek1AEAD.Encrypt([]byte("this is a secret"), []byte("id42")) +ct2, _ := dek2AEAD.Encrypt([]byte("this is another secret"), []byte("id43")) + +/* ... */ +/* ... */ +``` + + + Your DEK and KEK do not need to use the same algorithm and cipher. + + +The example above can work for most use cases. However, there is no "one fits all" approach to create the right key hierarchy. It is up to you to decide on a hierarchy that suits you best,according to your application needs and constraints. + + + + Scaleway does not define keys managed by Key Manager (or any other key management service) as DEKs or KEKs. The context in which you use these keys makes them DEKs or KEKs. We usually assume that keys in Key Manager are only used to protect other keys, hence the use of the terms "KEKs" and "DEKs". + diff --git a/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx new file mode 100644 index 0000000000..0764dc7d6c --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx @@ -0,0 +1,106 @@ +--- +meta: +title: Perform key rotation using the Scaleway CLI and API +description: Find out how to rotate keys, and why you should adopt this practice. +content: +h1: Perform key rotation using the Scaleway CLI and API +paragraph: Find out how to rotate keys, and why you should adopt this practice. +tags: key sensitive-data rotation +dates: +validation: 2024-10-07 +posted: 2024-10-07 +categories: + - identity-and-access-management +--- + +Key rotation is a critical security practice that ensures that encryption keys are not reused for extended periods of time. Regularly rotating keys helps limit the number of messages encrypted with the same key version. + +This reduces the risk of exposure if a key is compromised, thus enhancing the overall security and resilience of your system. For symmetric encryption, it is generally recommended to rotate keys every 30 to 90 days. + +However, this may vary based on your specific use-case and risk profile. + + + Rotating a key will not re-encrypt your data encryption key or any data you may have encrypted. When performing a + decryption operation with your key on data encrypted before the rotation, the response will contain the ciphertext of your data + with the latest rotation of the key. You can replace your current ciphertext with the new one. + As long as you do not delete the key, anything that you have encrypted with it will still be decipherable. + + +## Why is key rotation recommended? + +Key rotation offers several important advantages such as: + +- **Mitigating cryptanalysis attacks:** Limiting the amount of messages encrypted with the same key version reduces the risk of +cryptanalysis attacks. The recommended key lifetime varies depending on the key algorithm, the number of messages, and +the total number of bytes encrypted with the same key version. For example, for the symmetric algorithm AES-256-GCM, +keys must be rotated before approximately 2^32 encryptions have been performed, following the guidelines of [NIST +publication 800-38D](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf). + +- **Minimizing the impact of key compromise:** Regular key rotation limits the amount of messages that could be exposed if +a key is compromised. + +- **Maintaining system resilience against security incidents:** Regular key rotation helps your system stay resilient to +both manual key rotation, whether prompted by a security breach or the need to upgrade to a stronger encryption algorithm. + +- **Complying with regulatory requirements:** Many industry regulations and standards, such as PCI DSS, NIST guidelines, and others, +require or recommend regular key rotation as part of maintaining strong cryptographic controls. + +## Automated key rotation policy + +Copy the following command to configure automatic rotation when creating a key: + +``` + curl -X POST \ + --header 'Content-Type: application/json' \ + --header 'X-Auth-Token: ' \ + 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys' \ + --data '{ + "project_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "name": "my-key", + "usage": { + "symmetric_encryption": "aes_256_gcm" + }, + "description": "my key with a rotation policy", + "rotation_policy": { + "rotation_period": "2592000s", // 30 days + "next_rotation_at": "2024-10-01T01:00:00Z" + } + }' +``` + +- **rotation_period:** duration between two key rotations (min: 24 hours, max: 100 years). +- **next_rotation_at:** date at which the key will be rotated next. + +To configure automatic rotation on an existing key, use the `UpdateKey` endpoint as follows: + +``` + curl -X PATCH 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys/' \ + --header 'Content-Type: application/json' \ + --header 'X-Auth-Token: ' \ + --data '{ + "rotation_policy": { + "rotation_period": "2592000s", // 30 days + "next_rotation_at": "2024-10-01T01:00:00Z" + } + }' +``` + +## Manually rotate your key + +To rotate your key manually, you can use the `RotateKey` endpoint as follows: + +``` + curl -X POST 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys//rotate' \ + --header 'X-Auth-Token: ' \ + --data '' +``` + + + Avoid relying on irregular or manual key rotation as the primary security measure for your application. + + +Keep in mind that: + +- Manually rotating a key does not interrupt, modify or affect its existing automatic rotation schedule. +- Key rotation (both manual and automated) is not possible when you import your own key, because a new key material +would be required for each rotation. diff --git a/identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx b/identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx new file mode 100644 index 0000000000..cdc9a93dcf --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx @@ -0,0 +1,208 @@ +--- +meta: +title: How to use Streaming AEAD with Tink and Key Manager +description: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager +content: +h1: How to use Streaming AEAD with Tink and Key Manager +paragraph: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager +tags: key sensitive-data tink aead streaming encryption decryption +dates: +validation: 2024-10-03 +posted: 2024-10-03 +categories: + - identity-and-access-management +--- + +This page shows you how to use Scaleway Key Manager with Tink to securely handle large data streams. Specifically, it uses AEAD, which ensures both encryption and authentication of data, along with associated data (like file paths) that is authenticated but not encrypted. This is important for handling large files efficiently, especially in cases where stream processing is necessary (such as video files or large logs). + +Tink is a multi-language cryptographic library that simplifies common cryptographic operations like encryption, decryption, signing, and more. It provides cryptographic primitives, including AEAD. + +Key Manager handles secure storage and management of encryption keys. In this case, it is integrated with Tink to manage a Key Encryption Key (KEK). + +Streaming AEAD: This is the cryptographic primitive that handles secure, authenticated streaming encryption. It ensures that large amounts of data are encrypted on-the-fly without needing to load everything into memory. + +This page shows you how to use the Key Manager Tink extension to encrypt and decrypt large data streams using Authenticated Encryption with Associated Data (AEAD). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Created a key encryption key (KEK) in Key Manager +- A working Go environment +- Installed the [Scaleway Go SDK](https://github.com/scaleway/scaleway-sdk-go) and created [credentials](/developer-tools/scaleway-sdk/go-sdk/) + +## Configuring your environment variables + +Configuring your environment variables allows the Go application to authenticate and use Scaleway's API and Key Manager. + +Open a terminal and paste the following commands to export your environment variables. Make sure that you add your **own variables**. You can also use a Scaleway configuration file. + + ``` + export SCW_ACCESS_KEY="" + export SCW_SECRET_KEY="" + export SCW_DEFAULT_ORGANIZATION_ID="" + export SCW_DEFAULT_PROJECT_ID="" + export SCW_DEFAULT_REGION="" + export SCW_API_URL="" + export SCW_KMS_KEY_ID="" + ``` + +## Encrypting and decrypting large data streams using AEAD + + +1. Open a terminal and add the necessary dependencies for your Go project ([Scaleway Tink provider for Go](https://github.com/scaleway/tink-go-scwkms/tree/main) and Tink): + + ``` + go get github.com/scaleway/tink-go-scwkms + go get github.com/tink-crypto/tink-go/v2 + ``` + +2. Create a Go project and paste the following code in a Go file: + + ``` + package main + + import ( + "bytes" + "fmt" + "github.com/scaleway/tink-go-scwkms/integration/scwkms" + "github.com/tink-crypto/tink-go/v2/keyset" + "github.com/tink-crypto/tink-go/v2/streamingaead" + "io" + "log" + "os" + "path/filepath" + ) + + func main() { + const keyURIPrefix = "scw-kms://regions//keys/" + keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID") + + client, err := scwkms.NewClient(keyURIPrefix) + if err != nil { + log.Fatal(err) + } + + kekAEAD, err := client.GetAEAD(keyURI) + if err != nil { + log.Fatal(err) + } + + handle, err := keyset.NewHandle(streamingaead.AES256GCMHKDF1MBKeyTemplate()) + if err != nil { + log.Fatal(err) + } + + // Encrypt the keyset and store it in memory (using a bytes buffer) + buf := new(bytes.Buffer) + writer := keyset.NewBinaryWriter(buf) + err = handle.Write(writer, kekAEAD) + if err != nil { + log.Fatalf("Error writing encrypted keyset: %v", err) + } + + // Decrypt the keyset from the buffer + reader := keyset.NewBinaryReader(buf) + decryptedHandle, err := keyset.Read(reader, kekAEAD) + if err != nil { + log.Fatalf("Error reading encrypted keyset: %v", err) + } + + // Create the Streaming AEAD primitive from the decrypted keyset + primitive, err := streamingaead.New(decryptedHandle) + if err != nil { + log.Fatalf("Error creating streaming AEAD primitive: %v", err) + } + + // Create a file with the plaintext. + dir, err := os.MkdirTemp("", "streamingaead") + if err != nil { + log.Fatal(err) + } + defer os.RemoveAll(dir) + plaintextPath := filepath.Join(dir, "plaintext") + if err := os.WriteFile(plaintextPath, []byte("this data needs to be encrypted"), 0666); err != nil { + log.Fatal(err) + } + plaintextFile, err := os.Open(plaintextPath) + if err != nil { + log.Fatal(err) + } + + // AssociatedData defines the context of the encryption. (It is optional) + // Here, we include the path of the plaintext file. + associatedData := []byte("associatedData for " + plaintextPath) + + // Encrypt the plaintext file and write the output to the ciphertext file. + ciphertextPath := filepath.Join(dir, "ciphertext") + ciphertextFile, err := os.Create(ciphertextPath) + if err != nil { + log.Fatal(err) + } + w, err := primitive.NewEncryptingWriter(ciphertextFile, associatedData) + if err != nil { + log.Fatal(err) + } + if _, err := io.Copy(w, plaintextFile); err != nil { + log.Fatal(err) + } + if err := w.Close(); err != nil { + log.Fatal(err) + } + if err := ciphertextFile.Close(); err != nil { + log.Fatal(err) + } + if err := plaintextFile.Close(); err != nil { + log.Fatal(err) + } + + // Print the content of the encrypted file. + c, err := os.ReadFile(ciphertextPath) + if err != nil { + log.Fatal(err) + } + fmt.Println(string(c)) + + // Decrypt the ciphertext file and write the output in the decrypted file. + ciphertextFile, err = os.Open(ciphertextPath) + if err != nil { + log.Fatal(err) + } + decryptedPath := filepath.Join(dir, "decrypted") + decryptedFile, err := os.Create(decryptedPath) + if err != nil { + log.Fatal(err) + } + r, err := primitive.NewDecryptingReader(ciphertextFile, associatedData) + if err != nil { + log.Fatal(err) + } + if _, err := io.Copy(decryptedFile, r); err != nil { + log.Fatal(err) + } + if err := decryptedFile.Close(); err != nil { + log.Fatal(err) + } + if err := ciphertextFile.Close(); err != nil { + log.Fatal(err) + } + + // Print the content of the decrypted file. + b, err := os.ReadFile(decryptedPath) + if err != nil { + log.Fatal(err) + } + fmt.Println(string(b)) + } + ``` + + - The example above shows you how to use the Key Manager remote key encryption key to protect your data encryption key and AEAD stream, you can also protect the data encryption key using another non remote key. + - Associated data is authenticated but not encrypted + + +3. Save your changes and run the following commands to execute your code: + + ``` + go mod tidy + go run test.go + `` diff --git a/identity-and-access-management/key-manager/concepts.mdx b/identity-and-access-management/key-manager/concepts.mdx new file mode 100644 index 0000000000..ebee6fa053 --- /dev/null +++ b/identity-and-access-management/key-manager/concepts.mdx @@ -0,0 +1,97 @@ +--- +meta: + title: Key Manager - Concepts + description: Discover essential concepts of Scaleway Key Manager. +content: + h1: Concepts + paragraph: Discover essential concepts of Scaleway Key Manager. +tags: key-manager key encryption-key +dates: + validation: 2024-12-09 +--- + +## Asymmetric encryption + +Asymmetric encryption is a fundamental type of cryptographic method used to secure data with a pair of keys: a **public key** and a **private key**. + +The public key is used for encryption and can be shared openly, while the private key is used for decryption and must be kept secret. This design eliminates the need to share a single key securely, which is a challenge in symmetric encryption. + +Asymmetric encryption is particularly well-suited for secure communication and authentication, such as encrypting emails or verifying digital signatures. However, it is slower than symmetric encryption. Algorithms like RSA and ECC are common examples of asymmetric encryption. + +## Ciphertext + +Ciphertext refers to data that has been encrypted using a cryptographic algorithm and a key. + +Unlike [plaintext](#plaintext), ciphertext is not human-readable and cannot be understood or used without first decrypting it with the appropriate decryption key. + +## Data encryption key (DEK) + +A data encryption key is a type of key that has a single purpose: encrypting and decrypting a [payload](#payload). + +DEKs are generated on-demand, and are then encrypted by a [key encryption key](#key-encryption-key-(kek)) before being forwarded to the user. + +DEKs are not stored in Key Manager, but by the recipient. The lifecycle of a DEK typically follows the lifecycle of the payload: + +1. A new DEK is generated for each payload that needs encryption. +2. The DEK is disposed of as soon as the payload becomes irrelevant. + +## Encryption method + +An encryption method is a process used to convert readable data ([plaintext](#plaintext)) into an unreadable format ([ciphertext](#ciphertext)) to protect its confidentiality. + +There are two types of encryption methods: + +- [Symmetric encryption](#symmetric-encryption) +- [Asymmetric encrytpion](#asymmetric-encryption) + +## Key encryption key (KEK) + +A key encryption key (KEK) is a type of key that has a single purpose: encrypting and decrypting [data encryption keys](#data-encryption-key-(dek)). + +The KEK is permanently stored in Scaleway's Key Manager and never leaves it. It cannot be accessed by anyone, and should be [rotated](/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli/) regularly. + +## Key management + +Key management is the process of handling keys used in cryptographic systems to ensure the security and integrity of your cryptographic operations. This includes the generation, exchange, storage, usage, and disposal of these keys. +Although strong cipher algorithms allow you to protect your information with secret keys, your data is only protected as long as your encryption keys are kept secret from non-authorized individuals. + +## Key protection + +Key protection allows your key to be used and modified, but not deleted. This provides an additional layer of security. + +## Key rotation + +Key rotation is the process of replacing an old cryptographic key with a new one. It is a critical practice in key management to minimize the risk of exposure if a key is compromised and to enhance the overall security and resilience of your systems. + +When using [symmetric encryption](#symmetric-encryption), it is generally recommended to rotate keys every 30 to 90 days. + +After rotating your Key Manager keys, all cryptographic operations will use the new rotated keys. All data encrypted with former key versions will remain decipherable with the former key. + +## Key usage + +The key usage specifies the **algorithm** used to create subsequent key versions, and the **scope of cryptographic operations** supported by your key encryption key. +You must define a key usage upon key creation. As of now, Key Manager **only supports symmetric encryption**. + +## Payload + +A payload refers to the core data or message being transmitted, processed, or protected. It is the information of interest that encryption or other security mechanisms aim to secure. + +## Plaintext + +Plaintext refers to unencrypted, readable data. In the context of key management, plaintext often refers to cryptographic keys or sensitive data that are stored or transmitted in an unencrypted form. This term is often used in contrast to ciphertext, which is data that has been encrypted and is not readable without decryption. + +## Region + +A Region refers to the **geographical location** in which your key will be created. **Each region contains multiple Availability Zones**. Your key will be duplicated on **all Availability Zones** of the selected region. Scaleway is available in the Paris, Amsterdam, and Warsaw regions. + +## Root encryption key (REK) + +A root encryption key (REK) is another type of key that has the single purpose of encrypting and decrypting KEKs in order to store them in hard storage. Scaleway's Key Manager has one REK per region, which is securely stored in our facilities. + +## Symmetric encryption + +Symmetric encryption is a fundamental type of cryptographic method where the same key is used to both encrypt and decrypt data. This means that the sender and receiver must have access to the same secret key, which they use to secure their communication. + +Because symmetric encryption relies on a single key, it is generally fast and ideal for encrypting large volumes of data. However, its security depends entirely on keeping the key confidential. + +Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. Key manager supports the `AES_256_GCM` symmetric encryption algorithm. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/how-to/create-km-key.mdx b/identity-and-access-management/key-manager/how-to/create-km-key.mdx new file mode 100644 index 0000000000..043b15ae0f --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/create-km-key.mdx @@ -0,0 +1,38 @@ +--- +meta: + title: Create a Key Manager key + description: Discover how to create a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. +content: + h1: Create a Key Manager key + paragraph: Discover how to create a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. +tags: key-manager encryption data key +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +Scaleway's Key Manager allows you to create key encryption keys from the [Scaleway console](https://console.scaleway.com). Key encryption keys can then be used to encrypt and decrypt your encrypted data. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to create a Key Manager key + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. +2. Click **+ Create key**. +3. Choose the region in which you want to create your key. +4. Enter a name, a description, and optional tags for your key. +5. Select the [encryption method](/identity-and-access-management/key-manager/concepts/#encryption-method) for your key. + + + Key Manager currently only supports the `AES-256 GCM` [symmetric encryption](/identity-and-access-management/key-manager/concepts/#symmetric-encryption) algorithm. + +6. Switch the icon to disable [key protection](/identity-and-access-management/key-manager/concepts/#key-protection) or leave it enabled. + + Key protection allows you to protect your key from accidental deletion. + +7. Click **Create key**. Your key's **Overview** page displays. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/how-to/delete-key.mdx b/identity-and-access-management/key-manager/how-to/delete-key.mdx new file mode 100644 index 0000000000..f4c60fbfdf --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/delete-key.mdx @@ -0,0 +1,34 @@ +--- +meta: + title: Delete a Key Manager key + description: Discover how to delete a Key Manager key from the Scaleway console. +content: + h1: Delete a Key Manager key + paragraph: Discover how to delete a Key Manager key from the Scaleway console. +tags: key-manager delete key +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +This page shows you how to delete a Key Manager key. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created](/identity-and-access-management/key-manager/how-to/create-km-key/) a Key Manager key +- Disabled key protection from the key to delete + +## How to delete a key + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. +2. Click the key you want to delete. +3. Scroll down to the **Delete key** section, and click **Delete key**. +4. Type **DELETE** to confirm and click **Delete key**. + + + All data encrypted using this key, including data encryption keys, will become unusable. + \ No newline at end of file diff --git a/identity-and-access-management/key-manager/how-to/disable-key.mdx b/identity-and-access-management/key-manager/how-to/disable-key.mdx new file mode 100644 index 0000000000..4a5578cadf --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/disable-key.mdx @@ -0,0 +1,33 @@ +--- +meta: + title: Disable a Key Manager key + description: Discover how to disable a Key Manager key from the Scaleway console. +content: + h1: Disable a Key Manager key + paragraph: Discover how to disable a Key Manager key from the Scaleway console. +tags: key-manager disable key +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +This page shows you how to disable a Key Manager key which is enabled by default. Disabling a key renders it unusable for cryptographic operations by any user and application. + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created](/identity-and-access-management/key-manager/how-to/create-km-key/) a Key Manager key + +## How to disable a key + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. +2. Click the key you want to disable. +3. Scroll down to the **Key state** section, and click **Disable key**. + + Your key might be used by third-party programs. Disabling it could cause your services to stop working. You can enable your key again anytime. + +4. Click **Disable key** to confirm. diff --git a/identity-and-access-management/key-manager/how-to/index.mdx b/identity-and-access-management/key-manager/how-to/index.mdx new file mode 100644 index 0000000000..d0c2aa1fbc --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/index.mdx @@ -0,0 +1,8 @@ +--- +meta: + title: Key Manager - How Tos + description: Key Manager How Tos +content: + h1: How Tos + paragraph: Key Manager How Tos +--- diff --git a/identity-and-access-management/key-manager/how-to/manage-dek.mdx b/identity-and-access-management/key-manager/how-to/manage-dek.mdx new file mode 100644 index 0000000000..4067fa9d06 --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/manage-dek.mdx @@ -0,0 +1,44 @@ +--- +meta: + title: Create a Key Manager data encryption key + description: Discover how to create a data encryption key from the Scaleway console to encrypt and decrypt your payloads using Scaleway's Key Manager. +content: + h1: Create a Key Manager data encryption key + paragraph: Discover how to create a data encryption key from the Scaleway console to encrypt and decrypt your payloads using Scaleway's Key Manager. +tags: key-manager data-encryption-key data key payload encryption +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +Scaleway's key Manager allows you to create [data encryption keys (DEK)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-(dek)) to encrypt and decrypt your [payload](/identity-and-access-management/key-manager/concepts/#payload). + +You can then use your Key Manager key to encrypt your DEK. + + + You are responsible for storing your DEKS, as Key Manager does not store them for you. + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created](/identity-and-access-management/key-manager/how-to/create-km-key/) a Key Manager key + +## How to create and manage a data encryption key (DEK) + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. +2. Click the key for which to create a data encryption key. +3. Scroll down to the **Generate data encryption key** section. +4. Click **Generate data encryption key**. A pop-up displays with the [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext) of your DEK. +5. Copy and store your DEK's ciphertext safely. + + As Key Manager does not store your DEKs, we recommend that you **always store the ciphertext** of your data encryption key rather than its [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext). + +6. Optionally, click **Display plaintext** to make sure that the plaintext does not contain any mistakes. +7. Click **Close**. + +### Differences between ciphertext and plaintext + diff --git a/identity-and-access-management/key-manager/how-to/rotate-keys.mdx b/identity-and-access-management/key-manager/how-to/rotate-keys.mdx new file mode 100644 index 0000000000..3d387e98a4 --- /dev/null +++ b/identity-and-access-management/key-manager/how-to/rotate-keys.mdx @@ -0,0 +1,32 @@ +--- +meta: + title: Perform key rotation using the Scaleway console + description: Discover how to rotate a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. +content: + h1: Create a Key Manager key + paragraph: Discover how to rotate a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. +tags: key-manager encryption data key +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +Key rotation is a critical security practice that ensures that encryption keys are not reused for extended periods of time. Regularly rotating keys helps limit the number of messages encrypted with the same key version. + +This reduces the risk of exposure if a key is compromised, thus enhancing the overall security and resilience of your system. For symmetric encryption, it is generally recommended to rotate keys every 30 to 90 days. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created](/identity-and-access-management/key-manager/how-to/create-km-key/) a Key Manager key + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. +2. Click the key to perform the rotation on. Your key's **Overview** tab displays. +3. Scroll down to the **Key rotation** section, and click **Rotate key**. A tooltip displays to confirm the rotation was performed. + + Rotating your key creates a new version of it. All cryptographic operations will use the new key rotation. All data encrypted with former key versions will remain decipherable with the former key. + +4. Check that your key was rotated under the **Current rotation** field in the **Key information** section. diff --git a/identity-and-access-management/key-manager/index.mdx b/identity-and-access-management/key-manager/index.mdx new file mode 100644 index 0000000000..7ca3a6d550 --- /dev/null +++ b/identity-and-access-management/key-manager/index.mdx @@ -0,0 +1,81 @@ +--- +meta: + title: Key Manager Documentation + description: Dive into Scaleway Key Manager with our quickstart guides, how-tos, and more. +--- + + + +## Getting Started + + + + + + + + +## API/CLI + + + + + + + + + +## Changelog + + diff --git a/identity-and-access-management/key-manager/quickstart.mdx b/identity-and-access-management/key-manager/quickstart.mdx new file mode 100644 index 0000000000..7e7f588a85 --- /dev/null +++ b/identity-and-access-management/key-manager/quickstart.mdx @@ -0,0 +1,20 @@ +--- +meta: + title: Key Manager - Quickstart + description: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create keys. +content: + h1: Quickstart + paragraph: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create keys. +dates: + validation: 2024-12-09 + posted: 2024-12-09 +--- + +Scaleway's Key Manager allows you to create key encryption keys from the [Scaleway console](https://console.scaleway.com). Key encryption keys can then be used to encrypt and decrypt your encrypted data. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization + + diff --git a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx new file mode 100644 index 0000000000..3c24a2966d --- /dev/null +++ b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx @@ -0,0 +1,62 @@ +--- +meta: + title: What is the difference between Key Manager and Secret Manager? + description: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs +content: + h1: What is the difference between Key Manager and Secret Manager? + paragraph: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs +tags: key-manager secret-manager security +dates: + validation: 2024-10-07 +--- + + + +Secret Manager and Key Manager are both security-focused products aiming to help you protect your data and improve the security of your infrastructure. +The difference between th two of them is not always clear, and you may be unsure which one is most appropriate for your use-case. + +This page helps you answer that question. + + +## Secret Manager + +Secret Manager stores various secrets that your applications might need to access at some point. For example, when your application needs to call an external API service or connect to a database, it fetches the API token +or the credentials from Secret Manager before proceeding. + +Secrets can be largely anything you want: API tokens, credentials to connect to a database or simply sensitive data. There are no limits, other than the size of the secrets which is limited to 64 KiB. + + +## Key Manager + +In contrast, Key Manager only stores cryptographic keys. At first, Key Manager may seem to be just a limited version of Secret Manager, for keys only. + +It is indeed true that Secret Manager could also store cryptographic keys and hand them over to applications that need to perform cryptographic operations. + +However, this approach can lead to serious security problems such as: + + - inadvertently storing your keys in plaintext, or exposing them (e.g. in logs) + - incorrect (re-)use of keys: your application would be responsible for using the key correctly, + which is harder than it first seems. + - not disposing of the key properly after use (e.g. letting it reside in swap disk) + +These are typical key management problems that are not effectively solved by Secret Manager, hence the need for Key Manager. + +Key Manager does **not** simply give you any requested key. All keys residing in Key Manager never (and never will) leave Key Manager, since +there is no way to extract them by design. + +Since you cannot extract keys, Key Manager performs the cryptographic operations for you. This means that your application supplies the plaintext to be encrypted, or +the ciphertext to be decrypted. Your application is no longer responsible for managing the keys and using them properly as Key Manager takes care of it. + +Last, but not least, Key Manager provides another way of authorizing certain actions. You might want to authorize some principals only to encrypt data, and others +only to decrypt data. + +Let's take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database.The application would be able to ask Key Manager +to carry out encryption operations, but not decryption operations, so it cannot read the sensitive data already stored. + +This would not be possible to achieve with Secret Manager, since both writing and reading applications would need permissions to read the key from Secret Manager, which is sufficient to both encrypt and decrypt the data. + + +## Conclusion + +Cryptographic keys are secrets that need special care, and Key Manager is an effective tool to help you manage them securely. Key Manager allows your applications to offload all sensitive cryptographic +operations and keep keys out-of-band for extra security. diff --git a/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx new file mode 100644 index 0000000000..f1379ff318 --- /dev/null +++ b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx @@ -0,0 +1,48 @@ +--- +meta: + title: Security measures to be aware of when using Key Manager + description: Discover how to enjoy Key Manager and data encryption and decryption securely. +content: + h1: Security measures to be aware of when using Key Manager + paragraph: Discover how to enjoy Key Manager and data encryption and decryption securely. +tags: key-manager security-measures security encryption decryption +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +## Key storage + +We strongly advise that you **never store data encryption keys (DEKs) in plaintext**. + +**Storing DEKs in plaintext poses a significant security risk** and defeats the purpose of using Key Manager or any key management service in the first place. + +You should always use your key encryption key (KEK) [created via Key Manager](/create-a-kek/) to encrypt and decrypt your DEKs. + + +## Key deletion + +Always **delete the plaintext version of your DEKs** after use. The key you should use to encrypt your DEKs securely is your KEK. + + +This practice is crucial for **maintaining the security of the encrypted data** by minimizing the time during which the plaintext DEKs are exposed and vulnerable to unauthorized access. + +## Use DEKs only once + +For **each piece of plaintext data that you want to encrypt**, you should generate a new, **unique DEK**, through Scaleway's Key Manager. + +Using a unique DEK for each piece of plaintext ensures that even if one DEK is compromised, it does not affect the security of other encrypted data. + +## Use Key Manger to encrypt your DEKs only + +While it is technically possible to encrypt and decrypt data directly in Key Manager (with a size limitation of up to 64 KB), **we do not advise that you use Key Manager this way**. + +Instead of using Key Manager for data encryption and decryption, you should use a data encryption key (DEK). + +This is recommended for two main reasons: + +- Performance: Encrypting and decrypting data directly with Key Manager can be less efficient compared to using a DEK, especially for larger volumes of data. + +- Economic: **Scaleway charges for each operation involving KEKs**. Using a DEK minimizes the number of operations you need to perform with the KEK, reducing costs. diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx new file mode 100644 index 0000000000..3b50cbcdf9 --- /dev/null +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -0,0 +1,60 @@ +--- +meta: + title: Understanding Scaleway Key Manager + description: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. +content: + h1: Understanding Scaleway Key Manager + paragraph: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. +tags: key-manager encryption data key +dates: + validation: 2024-12-09 + posted: 2024-12-09 +categories: + - identity-and-access-management +--- + +## How does Key Manager work? + +You will find a diagram in the box below on best practices for how Key Manager works. + +It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](), which are used to encrypt and decrypt [data encryption keys (DEKs)]() stored on the client side. + +## Why use data encryption keys? + +Unlike key encryption keys, which cannot be accessed, you can use data encryption keys (DEK) to encrypt your data. You can also use data encryption keys outside of Scaleway Key Manager. + +The main benefit of using DEKs is that you do not have to re-encrypt your data at each rotation performed in Key Manager. Only the DEK needs to be re-encrypted with a new KEK. + +By rotating solely the KEK, the security of data-at-rest is reinforced without needing heavy encryption operations. + +When Key Manager generates data encryption keys, it returns a plaintext version of your key for immediate use, and a ciphertext, which is an encrypted copy of the data encryption key, that you can safely store. + + + Do not store your data encryption key's plaintext. When you want to decrypt your data, you need to go through Key Manager to decrypt the encrypted DEK. Find out [how to decrypt your data with Tink](LINK). + While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Scaleway's Key Manager**. + + +## Key usage and algorithms + +The key usage specifies the **algorithm** used to create subsequent key versions, and the **scope of cryptographic operations** supported by the key. As of now, **only symmetric encryption is supported**. + +Keys with a key usage set to `symmetric_encryption` are **used to encrypt and decrypt data**. + +Key Manager currently **only supports the `AES-256-GCM` key algorithm**. The following parameters, in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques), are used when creating and using a key with the `AES-256 GCM` algorithm. + +### Key derivation algorithm + +HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869 with SHA-256 as hash algorithm. + + +### Key material + +A sequence of 256-bits is created from a cryptographically secure random number generator, drawing its entropy from a `/dev/urandom` source. This key material is fed into the key derivation algorithm to create a new key version. + +### Key version length + +A key version length of 256 bits. + +### Block cipher + +Galois Counter Mode (GCM) with a block size of 128-bits. From fbe799c36cb55272b64a8afb921aad560509aeb9 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Wed, 11 Dec 2024 15:06:33 +0100 Subject: [PATCH 2/8] docs(key-manager): add --- faq/key-manager.mdx | 48 +++--------- .../key-manager/concepts.mdx | 73 ++++++++++++++++--- .../key-manager/how-to/manage-dek.mdx | 15 ++-- .../understanding-key-manager.mdx | 67 +++++++++++++---- macros/key-manager/encryption.mdx | 5 ++ 5 files changed, 139 insertions(+), 69 deletions(-) create mode 100644 macros/key-manager/encryption.mdx diff --git a/faq/key-manager.mdx b/faq/key-manager.mdx index 61f75d75ae..e2690ba23f 100644 --- a/faq/key-manager.mdx +++ b/faq/key-manager.mdx @@ -5,65 +5,35 @@ meta: content: h1: Key Manager dates: - validation: 2024-12-09 + validation: 2024-12-11 category: identity-and-access-management -productIcon: KeyManagerProductIcon +productIcon: AuditTrailProductIcon --- ## Why should you use Scaleway Key Manager? Key Manager helps organizations achieve secure key management by handling low-level and error-prone cryptographic details for you. - ## What features does Scaleway Key Manager include? Scaleway Key Manager allows you to create, manage and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys. ## Which management methods can I use with Key Manager? -Key Manager allows you to create and manage the complete lifecycle of a key. Below are all the ways you can use Key Manager to manage your data. - -### Create a key: - -You must specify a **key usage**, which defines the **purpose of the key** (encryption, signing, etc.) and which **cryptographic algorithm** will be used to derive the key. Upon key creation, a first key version is also automatically created. - -### Retrieve a key: - -Retrieving a key **only returns the metadata associated with the key**. The key versions will not be returned when retrieving a key. - -### List keys: - -You can retrieve a subset of your keys according to filters such as "name", "description", "tags", etc. - -### Update a key: - -You can update the key's name, description or tags at any time. - -### Enable and disable key protection: - -**Enabling key protection prevents any accidental deletion of a key**. You must disable key protection before deleting a key to which key protection is applied. - -### Rotate a key: - -Rotating a key **creates a new key version and makes all previous versions obsolete**. - -### Delete a key: - -Deleting a key also **deletes all its versions**. - +Read our [dedicated documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/#management-methods-you-can-use-with-key-manager) to find out about the management methods Key Manager provides. ## Which cryptographic operations does Key Manager support? -At the moment, Scaleway's Key Manager supports the three following cryptographic operations. +Key Manager supports the three following cryptographic operations: -| Encryption | Decryption | Data encryption key generation | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Encrypt data using the latest version of the Key Manager key. The encryption algorithm used is the one defined when setting the key usage. Only keys with a usage set to `symmetric_encryption` are supported by this method. The input data is arbitrary, but this endpoint should only be used only to encrypt data encryption keys, not actual payloads. [Find out how to encrypt and decrypt payloads using The Scaleway Tink provider](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink) | This operation lets you decrypt an encrypted payload. **The only way to decrypt an encrypted payload is by using the `Decrypt` endpoint. Since key versions never leave Key Manager, there is no other way to decrypt data outside Key Manager.** A payload encrypted with an older key version can still be decrypted. In this case, for convenience, the payload encrypted with the latest key version will be returned, along with the decrypted payload. | Generate a symmetric [data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-(dek)) (DEK) that can be used outside Key Manager to encrypt and decrypt payloads. This DEK is encrypted with a key encryption key, specified by the caller. **The management of the DEK is the responsibility of the caller. The DEK should be stored safely and have the same lifecycle as the payload it encrypts.** | +- [Encryption](/identity-and-access-management/key-manager/concepts/#encryption) +- [Decryption](/identity-and-access-management/key-manager/concepts/#decryption) +- [Data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) generation ## Which algorithms and key usage does Key Manager support? -Key Manager **only supports symmetric encryption as of yet**. + Keys with a [key usage](/identity-and-access-management/key-manager/concepts/#key-usage) set to `symmetric_encryption` are **used to encrypt and decrypt data**. -Key Manager currently **only supports the `AES-256-GCM` key algorithm**. Refer to our [dedicated documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to find out which parameters (in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques)) are used when creating and using a key with the `AES-256 GCM` [symmetric encryption](/identity-and-access-management/key-manager/concepts/#symmetric-encryption) algorithm. \ No newline at end of file +Refer to our [dedicated documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to find out more about Key Manager. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/concepts.mdx b/identity-and-access-management/key-manager/concepts.mdx index ebee6fa053..7f78c8a0ac 100644 --- a/identity-and-access-management/key-manager/concepts.mdx +++ b/identity-and-access-management/key-manager/concepts.mdx @@ -24,29 +24,76 @@ Ciphertext refers to data that has been encrypted using a cryptographic algorith Unlike [plaintext](#plaintext), ciphertext is not human-readable and cannot be understood or used without first decrypting it with the appropriate decryption key. +## Cryptographic operation + +A cryptographic operation is any action performed using cryptography to secure data, ensure privacy, or authenticate information. + +Key Manager supports the three following cryptographic operations: + +- [Encryption](#encryption) +- [Decryption](#decryption) +- [Data encryption key](#data-encryption-key-dek) generation + + +These operations are designed to protect data from unauthorized access, ensure its integrity, and verify the identities of users or systems. + ## Data encryption key (DEK) -A data encryption key is a type of key that has a single purpose: encrypting and decrypting a [payload](#payload). +A data encryption key is a type of key that can be used outside Key Manager to encrypt and decrypt [payloads](#payload). + +Key Manager generates DEKs on-demand. They are then encrypted by a [key encryption key](#key-encryption-key-kek) specified by the user, and forwarded to the recipient. + +DEKs are **not stored in or managed by Key Manager**. The user is reponsible for safely storing and managing DEKs. DEKs should have the same lifecycle as the [payload](#payload) they encrypt**. + +## Decryption + +A cryptographic operation used to convert [ciphertext](#ciphertext) back into its original [plaintext](#plaintext) form, using a key encryption key. + +The only way to decrypt an encrypted payload is by using the `Decrypt` [endpoint](https://www.scaleway.com/en/developers/api/key-manager/V1/#path-keys-decrypt-keys). Since key versions never leave Key Manager, there is no other way to decrypt data outside Key Manager.** A payload encrypted with an older key version can still be decrypted. In this case, for convenience, the payload encrypted with the latest key version will be returned, along with the decrypted payload. + +## Encryption + +A cryptographic operation used to encrypt data using the latest version of the Key Manager key. The [encryption algorithm](#encryption-algorithm) used is the one defined when setting the [key usage](#key-usage). -DEKs are generated on-demand, and are then encrypted by a [key encryption key](#key-encryption-key-(kek)) before being forwarded to the user. +Only keys with a usage set to `symmetric_encryption` are supported by this method. The input data is arbitrary, but this endpoint should only be used to encrypt **data encryption keys**, not actual [payloads](#payload). -DEKs are not stored in Key Manager, but by the recipient. The lifecycle of a DEK typically follows the lifecycle of the payload: +[Find out how to encrypt and decrypt payloads using The Scaleway Tink provider](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink) -1. A new DEK is generated for each payload that needs encryption. -2. The DEK is disposed of as soon as the payload becomes irrelevant. +## Encryption algorithm + +An encryption algorithm is the specific procedure used to perform encryption and decryption. + +It defines the exact steps to transform plaintext into ciphertext and vice versa using a key. + +As of now, Key Manager supports the following encryption algorithm: + +- AES (Advanced Encryption Standard): A widely used symmetric encryption algorithm. ## Encryption method -An encryption method is a process used to convert readable data ([plaintext](#plaintext)) into an unreadable format ([ciphertext](#ciphertext)) to protect its confidentiality. +An encryption method is a broader approach used to convert readable data ([plaintext](#plaintext)) into an unreadable format ([ciphertext](#ciphertext)) which may involve one or more [encryption algorithms](#encryption-algorithm). -There are two types of encryption methods: +There are three types of encryption methods: - [Symmetric encryption](#symmetric-encryption) - [Asymmetric encrytpion](#asymmetric-encryption) +- Hybrid encryption: An encryption method that combines both symmetric and asymmetric methods + +Key Manager only supports symmetric encryption. + +## Encryption scheme + +An encryption scheme is a structured approach to encryption that specifies the encryption algorithm, key size, and mode of operation for block chiphers. + +For example, in the `AES-256-GCM` encryption scheme: + +- `AES` refers to the Advanced Encryption Standard (AES) encryption algorithm +- `256` refers to the key length in bits +- `GCM` or Galois/Counter Mode, is the mode of operation for block ciphers. GCM encrypts your plaintext data using AES, and authenticates it using a unique "tag". This means that if anyone tampers with your data, you will know because the tag will not match anymore. ## Key encryption key (KEK) -A key encryption key (KEK) is a type of key that has a single purpose: encrypting and decrypting [data encryption keys](#data-encryption-key-(dek)). +A key encryption key (KEK) is a type of key that has a single purpose: encrypting and decrypting [data encryption keys](#data-encryption-key-dek). The KEK is permanently stored in Scaleway's Key Manager and never leaves it. It cannot be accessed by anyone, and should be [rotated](/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli/) regularly. @@ -72,6 +119,14 @@ After rotating your Key Manager keys, all cryptographic operations will use the The key usage specifies the **algorithm** used to create subsequent key versions, and the **scope of cryptographic operations** supported by your key encryption key. You must define a key usage upon key creation. As of now, Key Manager **only supports symmetric encryption**. +## Key version + +A key version is a a specific iteration of your key encryption key. Each version of your key represents a distinct state or version that may be [rotated](#key-rotation) or replaced over time. + +Key versions allow you to manage and track changes to your data encryption keys. When using key versions, all cryptographic operations will rely on the current key version. + +Data you have encrypted with previous key versions will still be accessible and decipherable using those specific keys, ensuring backward compatibility. + ## Payload A payload refers to the core data or message being transmitted, processed, or protected. It is the information of interest that encryption or other security mechanisms aim to secure. @@ -94,4 +149,4 @@ Symmetric encryption is a fundamental type of cryptographic method where the sam Because symmetric encryption relies on a single key, it is generally fast and ideal for encrypting large volumes of data. However, its security depends entirely on keeping the key confidential. -Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. Key manager supports the `AES_256_GCM` symmetric encryption algorithm. \ No newline at end of file +Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. As of now, Key manager only supports the `AES_256_GCM` symmetric encryption algorithm. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/how-to/manage-dek.mdx b/identity-and-access-management/key-manager/how-to/manage-dek.mdx index 4067fa9d06..d4732fb3de 100644 --- a/identity-and-access-management/key-manager/how-to/manage-dek.mdx +++ b/identity-and-access-management/key-manager/how-to/manage-dek.mdx @@ -7,13 +7,13 @@ content: paragraph: Discover how to create a data encryption key from the Scaleway console to encrypt and decrypt your payloads using Scaleway's Key Manager. tags: key-manager data-encryption-key data key payload encryption dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2024-12-11 + posted: 2024-12-11 categories: - identity-and-access-management --- -Scaleway's key Manager allows you to create [data encryption keys (DEK)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-(dek)) to encrypt and decrypt your [payload](/identity-and-access-management/key-manager/concepts/#payload). +Scaleway's key Manager allows you to create [data encryption keys (DEK)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) to encrypt and decrypt your [payload](/identity-and-access-management/key-manager/concepts/#payload). You can then use your Key Manager key to encrypt your DEK. @@ -35,10 +35,9 @@ You can then use your Key Manager key to encrypt your DEK. 4. Click **Generate data encryption key**. A pop-up displays with the [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext) of your DEK. 5. Copy and store your DEK's ciphertext safely. - As Key Manager does not store your DEKs, we recommend that you **always store the ciphertext** of your data encryption key rather than its [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext). + - We recommend that you **always store the ciphertext** of your data encryption key rather than its [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext). + - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Key Manager**. + - Read our [documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to understand Key Manager. 6. Optionally, click **Display plaintext** to make sure that the plaintext does not contain any mistakes. -7. Click **Close**. - -### Differences between ciphertext and plaintext - +7. Click **Close**. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx index 3b50cbcdf9..42250cda1e 100644 --- a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -7,8 +7,8 @@ content: paragraph: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. tags: key-manager encryption data key dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2024-12-11 + posted: 2024-12-11 categories: - identity-and-access-management --- @@ -17,7 +17,7 @@ categories: You will find a diagram in the box below on best practices for how Key Manager works. -It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](), which are used to encrypt and decrypt [data encryption keys (DEKs)]() stored on the client side. +It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](/identity-and-access-management/key-manager/concepts/#key-encryption-key-kek), which are used to encrypt and decrypt [data encryption keys (DEKs)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) stored on the client side. ## Why use data encryption keys? @@ -27,34 +27,75 @@ The main benefit of using DEKs is that you do not have to re-encrypt your data a By rotating solely the KEK, the security of data-at-rest is reinforced without needing heavy encryption operations. -When Key Manager generates data encryption keys, it returns a plaintext version of your key for immediate use, and a ciphertext, which is an encrypted copy of the data encryption key, that you can safely store. +When Key Manager generates data encryption keys, a [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext) version of your key is retunred for immediate use, and a [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext), which is an encrypted copy of the data encryption key, that you can safely store. - Do not store your data encryption key's plaintext. When you want to decrypt your data, you need to go through Key Manager to decrypt the encrypted DEK. Find out [how to decrypt your data with Tink](LINK). - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Scaleway's Key Manager**. + - Never store your data encryption key's plaintext. When you want to decrypt your data, you need to go through Key Manager to decrypt the encrypted DEK. Find out [how to decrypt your data with Tink](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink/). + - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Scaleway's Key Manager**. +## What is the difference between ciphertext and plaintext? + +[Ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext) and [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext) are two fundamental terms in encryption. + +Plaintext refers to data in its original, readable form, such as a message, document, or file, that has not been encrypted. + +It is the information as it appears before any encryption process or after decryption. + +Ciphertext is the result of applying an encryption algorithm to plaintext. It is the scrambled, unreadable version of the data that is secure from unauthorized access. + +While plaintext can be understood directly by humans or computers, ciphertext requires a decryption key to convert it back into plaintext. This transformation between plaintext and ciphertext ensures the confidentiality of information during storage or transmission, protecting it from being intercepted or read by unauthorized parties. + +## Which cryptographic operations does Key Manager support? + +Key Manager supports the three following cryptographic operations: + +- [Encryption](/identity-and-access-management/key-manager/concepts/#encryption) +- [Decryption](/identity-and-access-management/key-manager/concepts/#decryption) +- [Data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) generation + +## Management methods you can use with Key Manager + +Key Manager allows you to create and manage the complete lifecycle of your keys. Below are all the ways you can use Key Manager to manage your data. + +- Create a key: You must specify a [key usage](/identity-and-access-management/key-manager/concepts/#key-usage), which defines the **purpose of the key** (encryption, signing, etc.) and which [encryption algorithm](/identity-and-access-management/key-manager/concepts/#encryption-algorithm) will be used to derive the key. + +Upon key creation, Key Manager automatically creates a first key version. + +- Retrieve a key: Retrieving a key **only returns the metadata associated with the key**, not the [key versions](/identity-and-access-management/key-manager/concepts/#key-version). + +- List keys: You can retrieve a subset of your keys according to filters such as "name", "description", "tags", etc. + +- Update a key: You can update the key's name, description or tags at any time. + +- Enable and disable key protection: **Enabling key protection prevents accidental deletion of a key**. You must disable key protection before deleting a key to which key protection is applied. + +- Rotate a key: Rotating a key **creates a new key version and makes all previous versions obsolete**. + +- Delete a key: Deleting a key also **deletes all its versions**. All data encrypted using the key, including data encryption keys, will become unusable. + ## Key usage and algorithms -The key usage specifies the **algorithm** used to create subsequent key versions, and the **scope of cryptographic operations** supported by the key. As of now, **only symmetric encryption is supported**. +The key usage specifies the [encryption algorithm](/identity-and-access-management/key-manager/concepts/#encryption-algorithm) used to create subsequent key versions, and the **scope of cryptographic operations** supported by the key. Keys with a key usage set to `symmetric_encryption` are **used to encrypt and decrypt data**. -Key Manager currently **only supports the `AES-256-GCM` key algorithm**. The following parameters, in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques), are used when creating and using a key with the `AES-256 GCM` algorithm. + -### Key derivation algorithm +The following parameters, in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques), are used when creating and using a key with the `AES-256 GCM` [encryption scheme](/identity-and-access-management/key-manager/concepts/#encryption-scheme). -HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869 with SHA-256 as hash algorithm. +### Key derivation algorithm +Key Manager uses HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in [RFC 5869](https://datatracker.ietf.org/doc/html/rfc5869) with [SHA-256](https://www.rfc-editor.org/rfc/rfc4868.html#section-2) as hash function. ### Key material -A sequence of 256-bits is created from a cryptographically secure random number generator, drawing its entropy from a `/dev/urandom` source. This key material is fed into the key derivation algorithm to create a new key version. +Key Manager generates a 256-bit key using a cryptographically secure random number generator that draws entropy from the `/dev/urandom` source. This key is then used in a key derivation algorithm to generate a new key version. ### Key version length -A key version length of 256 bits. +The key version has a length of 256 bits, ensuring strong cryptographic security. ### Block cipher -Galois Counter Mode (GCM) with a block size of 128-bits. +For encryption, Key Manager uses the Galois/Counter Mode (GCM), which is a mode of operation for block ciphers, with a block size of 128 bits. GCM encrypts your plaintext data using AES, and authenticates it using a unique "tag". This means that if anyone tampers with your data, you will know because the tag will not match anymore. diff --git a/macros/key-manager/encryption.mdx b/macros/key-manager/encryption.mdx new file mode 100644 index 0000000000..51b88c08cb --- /dev/null +++ b/macros/key-manager/encryption.mdx @@ -0,0 +1,5 @@ +--- +macro: key-manager-encryption +--- + +**Key Manager only supports the `AES-256-GCM` [encryption scheme](/identity-and-access-management/key-manager/concepts/#encryption-scheme).** \ No newline at end of file From d746a499e9a2132972a75acab89aabc76fd6cd54 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Thu, 2 Jan 2025 15:17:18 +0100 Subject: [PATCH 3/8] docs(key-manager): dates & menu --- .../api-cli/create-dek-api-cli.mdx | 10 +- ...decrypt-keys-with-streaming-aead-tink.mdx} | 8 +- .../api-cli/manage-keys-with-tink.mdx | 9 +- .../api-cli/rotate-keys-api-cli.mdx | 4 +- .../key-manager/concepts.mdx | 2 +- .../key-manager/how-to/create-km-key.mdx | 4 +- .../{delete-key.mdx => delete-km-key.mdx} | 4 +- .../{disable-key.mdx => disable-km-key.mdx} | 4 +- .../key-manager/how-to/manage-dek.mdx | 9 +- .../{rotate-keys.mdx => rotate-km-keys.mdx} | 8 +- .../key-manager/quickstart.mdx | 42 ++++++++- .../differences-key-and-secret-manager.mdx | 13 ++- .../security-recommendations.mdx | 8 +- .../understanding-key-manager.mdx | 4 +- menu/navigation.json | 92 +++++++++++++++++++ 15 files changed, 179 insertions(+), 42 deletions(-) rename identity-and-access-management/key-manager/api-cli/{use-streaming-aead-tink-key-manager.mdx => encrypt-decrypt-keys-with-streaming-aead-tink.mdx} (97%) rename identity-and-access-management/key-manager/how-to/{delete-key.mdx => delete-km-key.mdx} (96%) rename identity-and-access-management/key-manager/how-to/{disable-key.mdx => disable-km-key.mdx} (96%) rename identity-and-access-management/key-manager/how-to/{rotate-keys.mdx => rotate-km-keys.mdx} (93%) diff --git a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx index 8b0c224cf5..94f05a4a78 100644 --- a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx @@ -1,16 +1,16 @@ --- meta: - title: Create a data encryption key using the Scaleway API and the Scaleway CLI + title: Creating a data encryption key using the Scaleway API and the Scaleway CLI description: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. content: - h1: Create a data encryption key using the Scaleway API and the Scaleway CLI + h1: Creating a data encryption key using the Scaleway API and the Scaleway CLI paragraph: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. tags: key-management dek data-encryption-key cli sdk api encryption +dates: + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management -dates: - validation: 2024-12-09 - posted: 2024-12-09 --- diff --git a/identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx similarity index 97% rename from identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx rename to identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx index cdc9a93dcf..3235fac1e8 100644 --- a/identity-and-access-management/key-manager/api-cli/use-streaming-aead-tink-key-manager.mdx +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx @@ -1,14 +1,14 @@ --- meta: -title: How to use Streaming AEAD with Tink and Key Manager +title: Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager description: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager content: -h1: How to use Streaming AEAD with Tink and Key Manager +h1: Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager paragraph: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager tags: key sensitive-data tink aead streaming encryption decryption dates: -validation: 2024-10-03 -posted: 2024-10-03 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx index 719b52e32f..67bdd4d21d 100644 --- a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx +++ b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx @@ -1,13 +1,16 @@ --- meta: - title: Using Tink with the Scaleway Key Manager + title: Managing your Key Manager keys using Tink description: Discover essential concepts of Scaleway Key Manager and how to use it effectively with the Tink Go library content: - h1: Using Tink with the Scaleway Key Manager + h1: Managing your Key Manager keys using Tink paragraph: Discover essential concepts of Scaleway Key Manager, including Key Encryption Keys and Data Encryption Keys tags: key-manager encryption kms key-management-service cryptographic dates: - validation: 2024-09-20 + validation: 2025-01-06 + posted: 2025-01-06 +categories: + - identity-and-access-management --- This documentation page provides information on Key Manager Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs), and how to use them with the Tink Go library. diff --git a/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx index 0764dc7d6c..e933986a20 100644 --- a/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx @@ -7,8 +7,8 @@ h1: Perform key rotation using the Scaleway CLI and API paragraph: Find out how to rotate keys, and why you should adopt this practice. tags: key sensitive-data rotation dates: -validation: 2024-10-07 -posted: 2024-10-07 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/concepts.mdx b/identity-and-access-management/key-manager/concepts.mdx index 7f78c8a0ac..d4f7f971c7 100644 --- a/identity-and-access-management/key-manager/concepts.mdx +++ b/identity-and-access-management/key-manager/concepts.mdx @@ -7,7 +7,7 @@ content: paragraph: Discover essential concepts of Scaleway Key Manager. tags: key-manager key encryption-key dates: - validation: 2024-12-09 + validation: 2025-01-06 --- ## Asymmetric encryption diff --git a/identity-and-access-management/key-manager/how-to/create-km-key.mdx b/identity-and-access-management/key-manager/how-to/create-km-key.mdx index 043b15ae0f..f284e7b09a 100644 --- a/identity-and-access-management/key-manager/how-to/create-km-key.mdx +++ b/identity-and-access-management/key-manager/how-to/create-km-key.mdx @@ -7,8 +7,8 @@ content: paragraph: Discover how to create a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. tags: key-manager encryption data key dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/how-to/delete-key.mdx b/identity-and-access-management/key-manager/how-to/delete-km-key.mdx similarity index 96% rename from identity-and-access-management/key-manager/how-to/delete-key.mdx rename to identity-and-access-management/key-manager/how-to/delete-km-key.mdx index f4c60fbfdf..05611f4c57 100644 --- a/identity-and-access-management/key-manager/how-to/delete-key.mdx +++ b/identity-and-access-management/key-manager/how-to/delete-km-key.mdx @@ -7,8 +7,8 @@ content: paragraph: Discover how to delete a Key Manager key from the Scaleway console. tags: key-manager delete key dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/how-to/disable-key.mdx b/identity-and-access-management/key-manager/how-to/disable-km-key.mdx similarity index 96% rename from identity-and-access-management/key-manager/how-to/disable-key.mdx rename to identity-and-access-management/key-manager/how-to/disable-km-key.mdx index 4a5578cadf..2ac5bd31a5 100644 --- a/identity-and-access-management/key-manager/how-to/disable-key.mdx +++ b/identity-and-access-management/key-manager/how-to/disable-km-key.mdx @@ -7,8 +7,8 @@ content: paragraph: Discover how to disable a Key Manager key from the Scaleway console. tags: key-manager disable key dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/how-to/manage-dek.mdx b/identity-and-access-management/key-manager/how-to/manage-dek.mdx index d4732fb3de..41952cf62d 100644 --- a/identity-and-access-management/key-manager/how-to/manage-dek.mdx +++ b/identity-and-access-management/key-manager/how-to/manage-dek.mdx @@ -1,18 +1,17 @@ --- meta: - title: Create a Key Manager data encryption key + title: Create and manage a Key Manager data encryption key description: Discover how to create a data encryption key from the Scaleway console to encrypt and decrypt your payloads using Scaleway's Key Manager. content: - h1: Create a Key Manager data encryption key + h1: Create and manage a Key Manager data encryption key paragraph: Discover how to create a data encryption key from the Scaleway console to encrypt and decrypt your payloads using Scaleway's Key Manager. tags: key-manager data-encryption-key data key payload encryption dates: - validation: 2024-12-11 - posted: 2024-12-11 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- - Scaleway's key Manager allows you to create [data encryption keys (DEK)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) to encrypt and decrypt your [payload](/identity-and-access-management/key-manager/concepts/#payload). You can then use your Key Manager key to encrypt your DEK. diff --git a/identity-and-access-management/key-manager/how-to/rotate-keys.mdx b/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx similarity index 93% rename from identity-and-access-management/key-manager/how-to/rotate-keys.mdx rename to identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx index 3d387e98a4..400d5e5c23 100644 --- a/identity-and-access-management/key-manager/how-to/rotate-keys.mdx +++ b/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx @@ -3,12 +3,12 @@ meta: title: Perform key rotation using the Scaleway console description: Discover how to rotate a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. content: - h1: Create a Key Manager key + h1: Perform key rotation using the Scaleway console paragraph: Discover how to rotate a key from the Scaleway console to decrypt your data using Scaleway's Key Manager. tags: key-manager encryption data key dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- @@ -23,6 +23,8 @@ This reduces the risk of exposure if a key is compromised, thus enhancing the ov - [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization - [Created](/identity-and-access-management/key-manager/how-to/create-km-key/) a Key Manager key +## How to perform key rotation + 1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. 2. Click the key to perform the rotation on. Your key's **Overview** tab displays. 3. Scroll down to the **Key rotation** section, and click **Rotate key**. A tooltip displays to confirm the rotation was performed. diff --git a/identity-and-access-management/key-manager/quickstart.mdx b/identity-and-access-management/key-manager/quickstart.mdx index 7e7f588a85..6c35943a63 100644 --- a/identity-and-access-management/key-manager/quickstart.mdx +++ b/identity-and-access-management/key-manager/quickstart.mdx @@ -6,8 +6,10 @@ content: h1: Quickstart paragraph: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create keys. dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 +categories: + - identity-and-access-management --- Scaleway's Key Manager allows you to create key encryption keys from the [Scaleway console](https://console.scaleway.com). Key encryption keys can then be used to encrypt and decrypt your encrypted data. @@ -17,4 +19,40 @@ Scaleway's Key Manager allows you to create key encryption keys from the [Scalew - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +## How to create a Key Manager key +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. +2. Click **+ Create key**. +3. Choose the region in which you want to create your key. +4. Enter a name, a description, and optional tags for your key. +5. Select the [encryption method](/identity-and-access-management/key-manager/concepts/#encryption-method) for your key. + + + Key Manager currently only supports the `AES-256 GCM` [symmetric encryption](/identity-and-access-management/key-manager/concepts/#symmetric-encryption) algorithm. + +6. Switch the icon to disable [key protection](/identity-and-access-management/key-manager/concepts/#key-protection) or leave it enabled. + + Key protection allows you to protect your key from accidental deletion. + +7. Click **Create key**. Your key's **Overview** page displays. + +## How to create and manage a data encryption key (DEK) + + + +1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. +2. Click the key for which to create a data encryption key. +3. Scroll down to the **Generate data encryption key** section. +4. Click **Generate data encryption key**. A pop-up displays with the [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext) of your DEK. +5. Copy and store your DEK's ciphertext safely. + + - We recommend that you **always store the ciphertext** of your data encryption key rather than its [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext). + - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Key Manager**. + - Read our [documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to understand Key Manager. + +6. Optionally, click **Display plaintext** to make sure that the plaintext does not contain any mistakes. +7. Click **Close**. + + + You are responsible for storing your DEKS, as Key Manager does not store them for you. + \ No newline at end of file diff --git a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx index 3c24a2966d..e340e047e7 100644 --- a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx @@ -1,13 +1,16 @@ --- meta: - title: What is the difference between Key Manager and Secret Manager? + title: Understanding the difference between Key Manager and Secret Manager description: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs content: - h1: What is the difference between Key Manager and Secret Manager? + h1: Understanding the difference between Key Manager and Secret Manager paragraph: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs tags: key-manager secret-manager security dates: - validation: 2024-10-07 + validation: 2025-01-06 + posted: 2025-01-06 +categories: + - identity-and-access-management --- @@ -50,13 +53,13 @@ the ciphertext to be decrypted. Your application is no longer responsible for ma Last, but not least, Key Manager provides another way of authorizing certain actions. You might want to authorize some principals only to encrypt data, and others only to decrypt data. -Let's take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database.The application would be able to ask Key Manager +Let us take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database.The application would be able to ask Key Manager to carry out encryption operations, but not decryption operations, so it cannot read the sensitive data already stored. This would not be possible to achieve with Secret Manager, since both writing and reading applications would need permissions to read the key from Secret Manager, which is sufficient to both encrypt and decrypt the data. -## Conclusion +## Additional note Cryptographic keys are secrets that need special care, and Key Manager is an effective tool to help you manage them securely. Key Manager allows your applications to offload all sensitive cryptographic operations and keep keys out-of-band for extra security. diff --git a/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx index f1379ff318..c86295a85a 100644 --- a/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx +++ b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx @@ -1,14 +1,14 @@ --- meta: - title: Security measures to be aware of when using Key Manager + title: Understanding security measures when using Key Manager description: Discover how to enjoy Key Manager and data encryption and decryption securely. content: - h1: Security measures to be aware of when using Key Manager + h1: Understanding security measures when using Key Manager paragraph: Discover how to enjoy Key Manager and data encryption and decryption securely. tags: key-manager security-measures security encryption decryption dates: - validation: 2024-12-09 - posted: 2024-12-09 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx index 42250cda1e..613a7d9384 100644 --- a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -7,8 +7,8 @@ content: paragraph: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. tags: key-manager encryption data key dates: - validation: 2024-12-11 - posted: 2024-12-11 + validation: 2025-01-06 + posted: 2025-01-06 categories: - identity-and-access-management --- diff --git a/menu/navigation.json b/menu/navigation.json index 878229680e..4ac18046be 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -493,6 +493,98 @@ "label": "Audit Trail", "slug": "audit-trail" }, + { + "items": [ + { + "label": "Overview", + "slug": "../key-manager" + }, + { + "label": "Concepts", + "slug": "concepts" + }, + { + "label": "Quickstart", + "slug": "quickstart" + }, + { + "label": "FAQ", + "slug": "../../faq/key-manager" + }, + { + "items": [ + { + "label": "Create a Key Manager key", + "slug": "create-km-key" + }, + { + "label": "Create and manage a Key Manager data encryption key", + "slug": "manage-dek" + }, + { + "label": "Perform key rotation on Key Manager keys", + "slug": "rotate-km-keys" + }, + { + "label": "Disable Key Manager keys", + "slug": "disable-km-key" + }, + { + "label": "Delete Key Manager keys", + "slug": "delete-km-key" + } + ], + "label": "How to", + "slug": "how-to" + }, + { + "items": [ + { + "label": "Understanding security measures when using Key Manager", + "slug": "security-recommendations" + }, + { + "label": "Understanding Key Manager", + "slug": "understanding-key-manager" + }, + { + "label": "Understanding the difference between Key Manager and Secret Manager", + "slug": "differences-key-and-secret-manager" + } + ], + "label": "Additional Content", + "slug": "reference-content" + }, + { + "items": [ + { + "label": "Key Manager API Reference", + "slug": "https://www.scaleway.com/en/developers/api/key-manager/" + }, + { + "label": "Creating a data encryption key using the Scaleway API and the Scaleway CLI", + "slug": "create-dek-api-cli" + }, + { + "label": "Managing your Key Manager keys using Tink", + "slug": "manage-keys-with-tink" + }, + { + "label": "Perform key rotation using the Scaleway CLI and API", + "slug": "rotate-keys-api-cli" + }, + { + "label": "Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager", + "slug": "encrypt-decrypt-keys-with-streaming-aead-tink" + } + ], + "label": "API/CLI", + "slug": "api-cli" + } + ], + "label": "Key Manager", + "slug": "key-manager" + }, { "items": [ { From 3aea8a0f5a51604c0043e4c82aedbe48b9e4e256 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Thu, 2 Jan 2025 15:55:56 +0100 Subject: [PATCH 4/8] docs(key-manager): seo descriptions --- faq/key-manager.mdx | 4 ++-- .../key-manager/api-cli/create-dek-api-cli.mdx | 4 ++-- ...pt-decrypt-keys-with-streaming-aead-tink.mdx | 4 ++-- .../api-cli/manage-keys-with-tink.mdx | 4 ++-- .../key-manager/api-cli/rotate-keys-api-cli.mdx | 4 ++-- .../key-manager/concepts.mdx | 4 ++-- .../{manage-dek.mdx => create-manage-dek.mdx} | 0 .../key-manager/quickstart.mdx | 5 ++--- .../assets/scaleway-key-manager.webp | Bin 0 -> 28656 bytes .../differences-key-and-secret-manager.mdx | 4 ++-- .../security-recommendations.mdx | 4 ++-- .../understanding-key-manager.mdx | 6 ++++-- menu/navigation.json | 2 +- 13 files changed, 23 insertions(+), 22 deletions(-) rename identity-and-access-management/key-manager/how-to/{manage-dek.mdx => create-manage-dek.mdx} (100%) create mode 100644 identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp diff --git a/faq/key-manager.mdx b/faq/key-manager.mdx index e2690ba23f..44a4a55a8b 100644 --- a/faq/key-manager.mdx +++ b/faq/key-manager.mdx @@ -5,9 +5,9 @@ meta: content: h1: Key Manager dates: - validation: 2024-12-11 + validation: 2025-01-06 category: identity-and-access-management -productIcon: AuditTrailProductIcon +productIcon: KeyManagerProductIcon --- ## Why should you use Scaleway Key Manager? diff --git a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx index 94f05a4a78..17bdb8dc1f 100644 --- a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx @@ -1,10 +1,10 @@ --- meta: title: Creating a data encryption key using the Scaleway API and the Scaleway CLI - description: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. + description: Learn how to generate a data encryption key (DEK) using the Scaleway CLI or API, leveraging Key Manager with AES encryption for secure data handling. content: h1: Creating a data encryption key using the Scaleway API and the Scaleway CLI - paragraph: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI. + paragraph: Learn how to generate a data encryption key (DEK) using the Scaleway CLI or API, leveraging Key Manager with AES encryption for secure data handling. tags: key-management dek data-encryption-key cli sdk api encryption dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx index 3235fac1e8..c05b55eae1 100644 --- a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx @@ -1,10 +1,10 @@ --- meta: title: Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager -description: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager +description: Learn how to use Key Manager with Tink for secure encryption and decryption of large data streams using AEAD in Go. content: h1: Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager -paragraph: Discover how to encrypt and decrypt large data streams with Streaming AEAD, Tink and Key Manager +paragraph: Learn how to use Key Manager with Tink for secure encryption and decryption of large data streams using AEAD in Go. tags: key sensitive-data tink aead streaming encryption decryption dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx index 67bdd4d21d..8081128a79 100644 --- a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx +++ b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx @@ -1,10 +1,10 @@ --- meta: title: Managing your Key Manager keys using Tink - description: Discover essential concepts of Scaleway Key Manager and how to use it effectively with the Tink Go library + description: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. content: h1: Managing your Key Manager keys using Tink - paragraph: Discover essential concepts of Scaleway Key Manager, including Key Encryption Keys and Data Encryption Keys + paragraph: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. tags: key-manager encryption kms key-management-service cryptographic dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx index e933986a20..0aabfc3a84 100644 --- a/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/rotate-keys-api-cli.mdx @@ -1,10 +1,10 @@ --- meta: title: Perform key rotation using the Scaleway CLI and API -description: Find out how to rotate keys, and why you should adopt this practice. +description: Learn why key rotation enhances security and how to configure automated or manual key rotation in Scaleway's Key Manager. content: h1: Perform key rotation using the Scaleway CLI and API -paragraph: Find out how to rotate keys, and why you should adopt this practice. +paragraph: Learn why key rotation enhances security and how to configure automated or manual key rotation in Scaleway's Key Manager. tags: key sensitive-data rotation dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/concepts.mdx b/identity-and-access-management/key-manager/concepts.mdx index d4f7f971c7..040c891ca6 100644 --- a/identity-and-access-management/key-manager/concepts.mdx +++ b/identity-and-access-management/key-manager/concepts.mdx @@ -1,10 +1,10 @@ --- meta: title: Key Manager - Concepts - description: Discover essential concepts of Scaleway Key Manager. + description: Explore essential cryptographic concepts, including symmetric and asymmetric encryption, data encryption keys (DEKs), key encryption keys (KEKs), and Scaleway Key Manager's robust features for secure key management and encryption operations. content: h1: Concepts - paragraph: Discover essential concepts of Scaleway Key Manager. + paragraph: Explore essential cryptographic concepts, including symmetric and asymmetric encryption, data encryption keys (DEKs), key encryption keys (KEKs), and Scaleway Key Manager's robust features for secure key management and encryption operations. tags: key-manager key encryption-key dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/how-to/manage-dek.mdx b/identity-and-access-management/key-manager/how-to/create-manage-dek.mdx similarity index 100% rename from identity-and-access-management/key-manager/how-to/manage-dek.mdx rename to identity-and-access-management/key-manager/how-to/create-manage-dek.mdx diff --git a/identity-and-access-management/key-manager/quickstart.mdx b/identity-and-access-management/key-manager/quickstart.mdx index 6c35943a63..88631f22c2 100644 --- a/identity-and-access-management/key-manager/quickstart.mdx +++ b/identity-and-access-management/key-manager/quickstart.mdx @@ -1,10 +1,10 @@ --- meta: title: Key Manager - Quickstart - description: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create keys. + description: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create and manage keys. content: h1: Quickstart - paragraph: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create keys. + paragraph: Learn how to quickly set up and manage keys with Scaleway's Key Manager. Follow our step-by-step guide to create and manage keys. dates: validation: 2025-01-06 posted: 2025-01-06 @@ -39,7 +39,6 @@ Scaleway's Key Manager allows you to create key encryption keys from the [Scalew ## How to create and manage a data encryption key (DEK) - 1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. 2. Click the key for which to create a data encryption key. 3. Scroll down to the **Generate data encryption key** section. diff --git a/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp b/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp new file mode 100644 index 0000000000000000000000000000000000000000..aea4f39151d79f4dc94ab3668fd7e2949224b4bd GIT binary patch literal 28656 zcmeFZXIN8FyDhp90i~-H2`zT2jiz+Of+A7_2m}<6PUuCtAc!bM6i|^SO%h1xB|s1q z0!oJvAQSx@`<`?6ckVgoxj*jB^Pn)3tjsmbJI5IBc=J;4!5t1( z2rB>p9Cx*D8UO$z6#O}Lgc)q%mLhb3{~dMLdguiJY$xbH48X@vC&5MrFM~Tb0CcC& zJov|9dkq~804RxP+kMOg0B(_YZ)zC%Gf+m^f{ZrO4i0p=!;han@}5sGaWKY=u{!of zeRzQxuXRy5q^O&1fDoEgG;BrSqf{2(s=ejcW1RA%k|5C&1JiINoc$^Fg3DbX z5~BVLxL5o;bZorM@0!5*Q_p_eUR?{=ywYJi^GU}3!R2k->{`9;Pzds&m4dZja$5J0 zi$8otu6m;#S(Z+}A865G*S!u6^M-p>qdt{V{tgJlcwtSYXsKE0>Wd^Fm9pBQ2ByZT zz~>zF7iYtms%mO|NxGcmR2X3-?IW)`k23c6V0=+0&K`UL(B18pDtL2KK)rG=dnwQ- zZ4qyzOmCOXa`NN8!AVKoAmzzBT@7gLU&=ux+?PZ+GB0C?{j7KX)!2xGIMQRpZc^+7|*(RhvJeKijP+zdZan zGDKOcj%`50?f~(ei{4x$S(*1p#e|^%6Ji9RHSMmX{Pt34Xq4%0!l(;Hdt1D&DVtq3O<@&0IJ3qv5T0jcx+a z*kkHIW`rSO%HBqV3pZe@IM;WeN1I^eH{f6hlO?nPfbhVAf_yF=QpSAUI| zDBXsueD@4kbX;%P?+x5spNhE_dP`?kOW@#gs1DK4s)uKc{GM{;U3` zeB+wSy~D6KN;9u>CHa7yqlbwA^@%DRtKQpglU%;DX;adqFK0La{K$YlL&{C;y5&Nv+dT> zO9X0Ec-67y8Mu0iOopU8EOAOzt$TDvt>SBPy#cs?Wh22+6j=N+^@p;E;q;^OD)XF{ zN00Z;BmDe~I&ANo#$pom|(02`_z|zp>DWm6TQGjUQFft(PB1}mQT@e}jw5ZX` zOwD$#HG4z~_EBHE%uqVODXHkGif{XHydQQ?IhH}39Vz~TN^z}e^zf^Mw*Dq`J_+3%N2@emE~a$mXlMAF_^N@S-V44%cn!{>V#HhN;3tvw z8==e9uAHjRf3N_L#=!-caNF8B_&2usNXJKXn3%hR)C=ZBEAM78)c%Uw=D}z%HV~ny z7uzk1OWGiNioIt?VWL0zd+?j@Y+Y!~t_KGzt~m6%PlD?a2@zzT%bvUWt6C4?5L>Cm z#X$pbUf1y_=^I;VfnRW)?by<*7B`0-iw>ua?Z;Ndp>-9c^z94<3i1?Jby6R%@@-4G zL8do?o&JM%<7Fd?ejTM#oujTl`Re(`O(ME^9c1HdLtVAsL>^}VTwj5A?)W{PwgQU` z?tywnMh)v$4&mi|HU~cGE+&MAwBW8Ha)PH?^nGvWjc$1#;Cv|0RP9n+^us-cXvQBYj%$+AZb>UNojz>DPs=oBg$O-dQ-h@b2y1#d8R`i0c> z8DA{&bPg0U?;RQ~m)J3+UVOD|2x}->UdR%mtQ;Is-#Q#MFM{M%>J49zQ$mW9~i{J$@#xHFdV%WqYGAkN;dyKIu1gS zha$0$3LcMtdN!K0k;GE8Q9@l!^m`R!A|3wdGx7x=)M(3Lo~MpgWx@vB+@kPe0NPP! zrS`tI_ydePc0x~2pYVI@?5VRoUr@}o?%7{6zsi*7465K3VkMjl!ati*F)_b{z{Bnt zeXeIVc3SG(MilVhsu~t>V_USf5$lN99xQbHqmX&w%FuY7V}88ybyXUnsiDqJ`ql;` zaFq-ENZWG!lBspqh{-Y0p9u?`KZdCCA$3uCZNUp;(*r_f%MbYuC#(9-Ji!mY+fJ!o z6@8VCF6Y=F@W7OfwyS^VWi8RFtVSMh-}&?it|lm=U|=tu>-COkg|KA$O}=x#EH0Cj z1*g1z#WMUpRBZ@^mSC*5Eo9l><3)`=bZ*!;|1iDoGWKJF;=2C0VPsYw!`!IBYJQm; zjx=@vXe9`XmZ}Je7l;toxRpXP7$(G;Y~o#sX7TeSM>z}>X2(goCvkUtA{>`43RAWW z%=I};fXNxFdc5plKeRMQe#HS4v(Rs{a67)Rywv=a()}%miyh~4e`P{@K3x$`w|ZkC zV?~cAwU}QM-(K8k>b;DW?AFU-M#RXsYV|0 zqir*vW_%LJJayZ%Miv79N!wuydnT^G(Kqg$0$KLq>;-}xmScc zrX`^hPB$m_6s*kWmr%oRNM2o^BiIf~&+hwsfy-WTs*4v$5TFOEsNH_7^nBDt!49j| zWcc$556FZQK9^`|Yac7JwDdw$tun;8Fz*X3N#dg5fJl$BmFom9pw)u@$zC{C&o&*+sfeE^VvjW8 z&kUz`7>aD`9(rAc{J?Nm5fH1n2HB03YaRM&Q>Q5`T@4 zM$7}U+nKlC&AqQ5vI;C9Hz*ltGa@wOJz`5ss6Qlnf4BXqyzAuh2oa39RVGwPp96^E zA2Ef>=L;-=tvonuwg60iX=h2uPwkWjJr-C2?l@_F4x zsHC8B9@>PT1tY#N_BV0}f}?iz`{#V)AvUi1X{3-^n$Lt~nRP+$YJ*x(+o%aq5+;d| z4zANkDNJ54J}?W=@u?4Z7RkZ@o$`?f)LXW6xG(o}Xusk>q6nkod)g7Ryxi*+RhngR z6LHvW&hHfsQXXZN;_bWOVFVHcqrU*J(@aE1KT{9(&94Gm9ispBa#1uo(=&5I({RaY z1Ru9URPLUd7Wx&)0^~5$5i0a)?EP%gal!^1b#qE1F*1QMcVz+}JXc|6GlHKeS{Y*i zD0GA%tfiqZ>dcWODc@3SRpEQ&=nJm;+fU9IZdDpN*ZTqLw9{cAsyFa9Q*)MvEFa@M zWp?JbI@aIOO8AVBs+m`JO$!tLs`o)yZjlA{-{|2n0BNE=> zn`^UmMYKp|ictI}k{OuW0#`xzGY9DAhZGT;qPy@M#I>noq~g4mj<8(lmC0V4)cS+F zv!c`CuQIUIC}_9C#>PO-+I$Pt8>BUVQT*| zuCi1S1aIS*V6l*Q~%o2txA)Kdv|>Go?SmBa-^SdFDn-t+o@@z-CvK&Ml*Om-joeo8I9X^ zV+V#=C9@dSS#p?bkS7-834Eu%n`l~wZmZP(Zpm6jJWOv17}*%TUZgs3rk%^hp5X?d zb%}n@nLMnB-MwvJ+O%%f!*e%nZg?A>``xY`?~{~rOV^}whu!2Qr{6L~8EeU)4*5H8 zc^~qJOOH=(Lyt3AZ9{_q^#E&bMZnwrDdN-jbFNn}t2ja2(N{!40<2{Pt}`fy!>8|6 z7c!Re<_M2gYh*qb7?(#OHk?zRvs5txz5MiW5iKgUPif1q@wqNxX=V?TlsDZNc12)E zj55Ez@w4@lJn3D{n>Ns;GyPND3uqOhhY3wY^ZL&?F9iTFI0|9}@NttK?EnCJ6?__e zym`#7#XMNzlP|sB=R{gTkcy50fEHp#Sesq_e&cGrv|9DX^>BgZs{#yXW5xZISEiUM zw}$R1EtTtCUZ(=vJm`{i0oDx;N zxHAD23>ne~xp{&Fr)c*m4sv+y8_VzN%^zL+L2rDN-c^KMJ<4#Fqo84RK863dY8a0} zjmulTYS*-~zAcFyjI4>;6XEv8eV&DO1PWg!twz<741evjGEDkGtI0#$KxBwe0sx&S3Ft z;kt)OiI&=!Z1d*2jk{GJ0-BYnyM+b3%z(Zge{*vv+H=bI&Gj!~IUkS;@};nV&T`|a-)QU=J_~cw#scx!05g)X;Zqw_*zaCZ(5JS{wIv>myd}l4f)IE z65<3@RSoOyiC<%}xXK$XITP6s<;s=sB+d7*wG$(#pHj;fReoUu^Q=CSrNk7%x zm%GyL6bEk!2`X9ohYDZXwd5UJw|oKD;~u}bTJNk>Z&ymrCH7t4CV#&7E}g4^Gi>us z-x*ScIp4w4inP^=XHo6yz+D-X)wu0;yDw9YtX%YkPbwt2Ep3c+X{ouO?@Nh{>TA{Y z1HZ1wRbEh0`w=XCFmFx#Wo&|U_mhAb8jYR|9bY-msMWmdgFYoXW;ZY@nTSBOG<3pd z7YhOh3Tv%Nx`DF>#Domxorlzrrit$v)Q#_?E3HaTT#3*}7!Rcl?0ZyOG@&UL(P9{6jyv#d~?dC}My0 zuiU9az%UChHxQkG~!;jui){6qX+BD2L!ZoKvZqP6^h^}0Y0o%+Vs^{{C==V9>n=`$zu9 zK?yYyhf4&|PLm9pu){tc2H)U}g*JE<>_ZIZQ8vN?5!6DpnUYD268N)A;l)Dl4ERO~)0&??wYYr(QL& zIoTgP*J*Mo26iX!ll6(t^l1obAtpz6W%OM|svmYfKv3w6gA3m79dgw9*|%VQrdu#> zVPd@CU7;gry-E8D>{8B$r9g#T*CzFq8CFr<zDQseq zBM! z7twj$S!?=0--f|fx7<;#C=eGV7rHJJ2?D(>?Mlg}#+w(bO2xwR-~(&aO@B&KGIG73 zf!R$#9<9mPiV?c@ZIrkp;ClUQfYoeoGTy6il{pCtyKQt`pDN8H0P{Fr_0|aD5JErG z9oD9qGd*P7%n?2naF_KBTKY}K`DYhRfrQWfzYtFBn*KW@l?d-;vV|GV|6|9!XQ%51 zKVu(lmz)WC{Oz(`^`WphI*Ap2XXR06dw<7APNII(UxByeMzUz%1U}4x)w+op@TTMK zxiHx=4O!!y0-x)O$llcmc%e~kZ1_h4MFbIb@30?K%|=rW#G1ZK2Q*YSQttB*5f z^#TyK2{r>cPnkQV=j+eKtiY>2I}T!IIP~HxV&KFy2HU%7~m7jP;|Gk zGHCL+(o|_S_`IGyV;H;KPF|z$LB}gf;00ADrOL&tnHApTp61T_ooh6wm4Ca;Z9%2& zn|_P{(38o=_rIXK{}Xrm|GyO+f&Z;*>Ax|;^DgSlbT}6{lV0V5Pd3ve&kvj-byhFR z$oqPhfb00ICZN$$b1>6vTz|bE}8R>(#hqcYsjW zb=-pVTi!%O<;)hgZP)+=V6OZ0gjz?lY@NE`7xXaSyS=gq-O+&Bd(i}@c%}@T>v&z? zy%x^$#4C)he@rsGNDuZG%H%0&+7X$>V=xKX;NQh;tS%$(-opLgD-9`PZ zMhlH7V)c2gF%OoV%kqq?zg}Jp58`J(4`Rs3xTE$Ro(xknce+X*`W3muUQt8`uzOXZ z)iVC*K_)?>D+=A&GOjQp>^JciHM;+{VY84!vV%)RbRzuqrqAqgp*tF2xP_Oi3PPDL%5 zfSnA8j@ZG^3#lrGT+$-b47=vp$DbpNtOU!lPzRQXEPe(I-KWciWZ0y$4>2?;y;=M|& zGduLjm#cNo{Goz|gmzN0Ioy?BFgUp6lngl9;PU!kbX0*?`Y%tp)@!2ywxrDtB@WkY zEV9Kjzz)=D)Il<9`)LiWIzY$#NE6~ovy^c7_V;tfSM4(CF{p1Sj9unGpJ(MFFx7h) zaWLTM%7U{5p1!SGHWxDH5R}I=u0M;kQ!X0&YSTlQEd=BfVCVi<#8yQ?z&4ta>NnhU z!Nh!H0m9g;KanuDl$?^`3?v{y0MMHrj$aq#8*KXEX5Mop!*n7{mtE_Qmz`f_OqCL; z7$aiyq>AUnO(5qiC;^ungV6}YjIQ695yg%N+a=T9C>dxP%x%%u%hC*SqSMUnZMx{K zBMb?iV6Fq|y1kE%oz;=WHjk-3*x+5)A0=2GgZFh_5x+ zY~aJaQO;L!L(_JljNsx27!r~tQrxU7C82uPer4QO;eh7;k7AmfI^y{CRz!wxv9#IP z(C~0vd}(2T;UY8O5bS!8Dg-E2zsTrBtkm=QNiH^!;?#CB28{c=$3$eGzu?&ajuker z|L{995DZhz?Y*tL%6otA8en6vV1?ifplK)3!s>9TNd)W^w=LbGTm8> zQ#0WWI@D0KAK}-a^LQo5MguP@dBLHOUwH4Xdt6{8Y2_LAxQ}PX40$_p1OEPamA0=X zQhkwZsu(Bo_IqXyHA^C{6He45O&?x9h4F*$Le3c{uJ5ewjVp=ycPLVWsF@2!0W%k? zLflcgI6*b^}vZx^Cbx?44x=)Wof_HGJ>W=b=kL zf;c!H-S_dKnk}nDdc5Ny|$D_wq0QX_XnO492IIFgk6GZKcIeap=gscT4qk zkBF-Lv>gfGr1VsvvjS)sE)PL?&9enPCGay5z4)-XS8o* zl3H6_=6u+Mg=1W0c7TAB3&@XUg>1y8rC6GGIoGa~bnZ4?sC3xYSTa>RDj~aoKFhT` zyXmiKKI{9b);zw{*`_y!W0_u60pYTyT}^HQ>LTBsKBcFE)6^^+YGZ7A*sd*DKFXc{>0BGzZ-Oyly-gb?bg$mkoC4s zZBh_wU#S1<0~gzd6=J8c2|vo8he_d}Ak<&!z|vdV!hsE*k6n3`CK*up^EmQ_1=3v7HLHI2D~+B z?g-Z>%#pE%xZFLS-vIQ4J_AFTok4^Nhh6aLB}pcn#)4q?gzj7y`x0t(q1LIOv7n`P z&d_uGGBN)b^0b2>>{9>6eAOtHIo83s`zsflf~_29^IDPs(?=Q2sdN2uZ5gOe=k|l2 z9`Lu`Lc-%2#Ms6XR%eyR4&pLSt#T~;Mm(l&i+p1Lx0N?8V7VmN zucoC&LO5V~*m!mZA2z4>{G0aRnXItB!3|Eo*uIiW1qYV1O7i{(Xzk>dp>;%^WU}b1 z>^0-&@2Tc$dX^YUsOrwc`RV{&R`md#v=^PT8$0Ahs-WW8vX%`%{Uk`ZKHi0Kjr)Ab z4ApDgTIlqjBADE~cU+ZVoNXAZ8+_;>WDmEne*&?NoIpOxzD=efq`u+s=fw_hV@wXN zU1(e5kOW@BgLzJSTe3;1vb^5|3Tu01;=Qh6J(l0i+rOpu`Y}mCGqwzSA$gxbu zyNIznj%Zsel(iTU8xHc&e(%vWDShpC8P`MX8oI?#$!^bD;~QwyHk8;hG5&7Pb{*vK zaZ&ZjMwgpK4C;AwQCVisb~kRzlv(cft3;#ol^4AC?(X8QD5(xN$X)1vZ_EoFn(82o z+zvII&D5p&z<1XhJ?#?L?){E1(%vTLdPw76h>Y*+lZ!^PsJW;wUj5P->X_PcR_y(^ ziDB08z2X`#S8ZsU}DvlL9d;GC#M;NJJ$z*YF% zy4P+;`(Rhi^Ab_ust_pHI55bq5C;1P0l99%d!wn~{%AOQqKJ8uptdx_eAc9%*v64) z>?b{bl1f89#zYmUwo%Ju;Kw0lnNhAAc@Y-bu&moM=OYE@6yx7$oD7ige}M0G{_=** z{FInsqrJ6ekn)+IuLVL>JqsUsZL_^}J0zo}<=UK(oRYEOGJLeTfAC-ZNAmGFd^jvE8kCGK{?l zBt)|w0m>7QP^LTIA-lMMEQzLfsj8l_KetSyv4fQp%;h+fDOjv&)l5rmnniIpFzcTE zP{xc`s3Z{Mba$}o&ayXtm`~P)Ke9#OIZJibZ3$Gh=Rm~q~1_XkzMZp4p_Zwx0)L+W46y!LQdl5>h1P&PKN+h43Hkr-OtC`$vk zPd2Dd{0ejQz1(2QY$LSU{ncNsI0Hn~+?t@M=>E08)p+{%3WLf0|68=GZuaA6mye_g;|H{7hX!5PXHZA} z!pMY`8_CvTq=TeMMFt$Ur9UdtjzR$gR#1;IGhoVD`5q!ao9n`Ol~8D3Yu2-k#~z3P zP}pBkwn~jHez+D;eNjw3ucv|b&@0dsOkpqs14g++WPJ7FZuWp{Cvof7)fyqf~C4_qqMjf99`wAw+8Et&A5H#BT!#vob zo8C0Y1&D(_K`5o*_*F{U&qC`lMHC1cB#enCKiW^cg(ZWzf|w|(Ob+goO9v5vRNf~S(6*#bm)LA~I53ABvj_5uq`YF+yiMS+sY59U5ETmonN#$6 z_J(?im^wbG;GjsiR8bW?>x*^YzR_gepbnM1doKsZ-n(xW{-U9c!E{xUrMWHd zC3IElfqNXA95HSEy-q;LJDqxKG%x4URNm3fpUX>e`EuH}O%Kalhm}&8@gFDy8{7v0 zKv+9{?Oy!~CZuYB%v6{0QkiPPa0Fqz7!(n(zp~sjA9>EA_=j?4Z`XW11*-Mo?mZ+G zv|cHgJ>pm8Q>_^W*;DPKY}cE3L;nwQK9RAho-u*<8FD>`Zlm5;bqZ@vWUEMA1;YC2 z!uwVAq36~=CFjO|U9mdWV;#D19(E3l?9*{Y+v`cu{cUv&KC5s|lDnloaZf#96tF z|AdUhQ&LAC2?FYNbjbut~Uuyme(ki@0KQaDrtdWrvP*zMIy4?L>G9IiCQJSD&7 zR0fTNq1{Y$wfSGymDRI7>Ev4aL&YCOAk!7(GC=H)`60P8e9DJ`n=imv2r3Z&mN@<| z1-GwsjjzorZ~!FavNfaq9$rPD#LNixi_ZQYJm_*kSzvq4f0C>1;l8>TW#ZDwDA}>V z4utL902qL4X5Q|-Ub%VRZ={~T)3tCZTS69>9&I-Ebp|PUu^N4BtLwr?{EyUt2@v{5 z3bdHW4w`fZ6Y5_X&V+$8vvTTe{+&vCI#}iQ7U=b+8-^ZTQhok=+RtzN1ZZq8$}MA1 zj~XIM>3&IhBEOH5DYD*IloU`(AP+G7o}PsOIg0eKrU$O`R7GPO2zJI!&}?RC94(uJ z;~E$k1T%-G^A!<=bFXn=9FC^POvi=66j4m+gb7FK&rq*Q;ofW%!~9&fw36#~AIukD zWm#-^Nvhn#@PRy_CHIl|L}6LGO^SwwajPbDt}h1;=HjbEmzUi}=J)p) z)sf&(Yngj3Svk5LjNhj1T)M-poS?tHyhrwnFP1|&xeUNTE3m;)@Dv&DeIG9=vX#j2 zVWCd&)o3Wozj1augyMR%1z9fa;j@Gq)j%gTa$t}fxXZ`>dA^+M@Fg^SNn!Ya4%K%< zS>Ss9*`7;Dbrzs9n7SxO?+4PQEO2W6CBes_rS9P2V?X$1lB%h>jVmR)NNJQjCka3m zL9ui2g+0P*5+Uk3)Cc-%2x|L{A1mFY@&(}yw`7cmWAafD<^4e}{=soeOM9>7hmT!d zmsEH+-=46m#sFb+-k_D|?f&}Oxg~P3HVamccl~7z?Vaiok#7eT(S!kN1bQ@r*zQ9_ zbZ;}Q;v4>mUSMIct&gpCN&x+iCqU?LHmAD*i?_VvTeXIeLacmhY8$sS6IE`IcChfP z+K&ieAvGV0QQaU;y;yJcMH#**=#e(7R~b4Kqqr24Z_EOFKU^OtxeRmh>~cJyN~pTe z&RSl0tQ1;EH4fq)k(VQz+WD0Hs>t=lcv10*UFpLLI7}SMb?-VC}<<{p)k4*)PFCDty1tnVrV$ z?_Vn^a_xc$q&yZg_FP;mjTSMPgWp*!*b67+M^N`aDviY-EcdF+@*QSRtF5frY}4Ny zY)&)uHDy-jZSX?@$(JVgTa9~qhgns(IQ~RT+xypww%3a}e$n<#+gLjRvtHl#5f<59QYK1E4Q=c=taWZVlgA^tP7N>5 zezV8YCdf>{BlaVJY%1hS*U0`yVNZujXP2m2%Yw%FZ!fSeA8t z$%%ww_ZHF;x#lQ=C)7ezwFwUjDNR{7`>WNcEE#?r4onc&d=K7qE>R~jD_`OfK{NSo z6?BQzgxB$440FhVM!iLfSX%8ShnoU*Y|u0|D@9~<#f<5(Ht#!IOxES!nAo@i*Inw% zpkIA*xzsP<)Gt2>Lh z$*0Og`>;^ocZ&;vdRjd7f3ksWmDdMKoJ&ccMCm`qzCo3Gwyh_Kx$Q#&bei z)I?X`JFAmV;+zvPW39zMnXwmjN)UH^I4sRMR^9o_y3%`z^)r9+CCIhruHKFJ@N1a) z`JjgVpT|~-3Ad&tr;cn{K&YfH)XElUpg$zl#aFhpoCqqGmw%uhYtO_j zhk%RuiyP~l^tROK)%^kM;gbkX_oAX7v#AdEi zM8TkG!eEWFJ9arH_j0mWiL>dh5NAi_Ue;73V@BwueR4XUsxolq4H?OM_&e2d{P&Gp zlVKj9B}DjT6NVybj#EneR2!cm4%kY7$tiW2f<^&B|8&aE0d4+ib7*hTkLQrztUTD7 zhl$~&V_C=uEEG@lUW%EI|+JYfrMIw>j1 z>auWt1`}G9KD1Qt!xkxQb*r~#KDp2w0zjkaL^v!1c8>!VYp)ucV*U+eUsd2vfsF1A{-i#zvh!T@@$3l`8Npf)x@t@|yBlFG?5%2+D~_3YBhdMguqEkT)OQ|pIA zwJz&A5gY}M|DMNS<9JtT1p3om$A&^UG&tgx_>8VY1m9+soRv(sq(FK*;2Y)~+ro_( zR&<1`m_VMK$stS78rWipbL<7YuVKwe-sh|d&2-g?(j>2wj8UIm@^j*W=#a*V{IH8E+;qz z5vymIK|iQ1oj=?_aBsxuAl!ZLnCEn2%s+eCzt+?=V}cW>M+DW}K&}P?Sm+HTWcSgS z13B7zNzF3A@hxew>+6>HFOy&vU{Ua2pz-q`D0Z%guBPoPb%%0+MnrIL_Zon1yiLny z7G_&TX`zSLs^dX&4~8r)Z7_8=G~ic-ZQ)NS7()#@)H?YxAE>O$0b0Bu>TyJYDdfP# z7np8dHi3B%5K(Yfx@rzMfq&**5=-!dvv<}jYA?Qb6)h~f0yPv1nj7CMuf%)dW2qK5VCVb^QXnrb#{fY zr@O&tKrlX_4$cJlc=KQ4eK3diuX$C#99X92{~o%ZP#11tviIJH$O;y3vi!A1BSSze zZ+2dPu$RXCkGB7QM;}8h>9oH|{x9ukE;XUkevP&NNc%rW{*Tdqvg^Bl(tf^!)PI%s z4~Vz@rTw=~Joyi_pO25{|7F_mH1&U>{lW16XSDz7f@1FfXIOt2=gqz`yJ4P6h|Fgy z$3LrK)n)z7oqcS7EKIVRo3+6Ww+;cljP!uXC|)~#Gc{yS(s%T(Ohn7mqFg1Is;nR= z{eVtzMv%WKz6afQlL-Cl%Yh$L&q*p9g3c?JaM1S#K2HD7xyMfXZiNY1Gld`p2eY!~ zULyXay-t-Nbw9=g$PuWz(n*=^o8~LuB~rZ(NZ<U7|ZJ%C$)@$0DST!D9kb3q7D02YOopV-sr7j5}aC0#{+ z5YP_lkrhpi^&DDqbbogZgRtiGADzaAp$+4pkkDF6^P2(bt*BKg`t}K2KM^P6Bi6{M_4qJ1lu0al z&Udo)42RY^WOp!VfbV%BB0klTGR8IeV%6>V+}D%OIl&3|*9DUQejNH|ti5kfcSapk zsvH>JeQ{vtCT;45vI1*%akbL(zBW4tEu1$q&S1^=SL+M6MuL>~Cc7YEb98Y<{hsNc zSvh%1;3X_~?*NaBcc1hAYTQ8?#^T`8;bYL#biYyelF07rXCl zegEG4aL23o-H!c}vb*L;b8h*IxYe_@4GXNb^Nnk+-#$Y8YBx=+$^(;QOPoUPl8?i{f1=qw?sS} z4Y8(P6m;fol$S1waS-~E#@1jr%Gn_g6w&p1U^o&fDhT;7Em2tfB|c5IwEH$w;~B}V zkO$miJhD9M$6=TuCjytNPgb_Oo~WR};Wr*{b<4C7ifyh3?!_4r=X5+|JXHR~r3E&x zGG}hkRWS8h(?9uySXJUDCp^vwJ?P*UO1-q1D(YL2#d=x#OHAFy4^WX(7o^WynC}~x z*!XWOLQY^+{QWYda7XUf&tH2Ik*x~~s+R#*ddV5sMLx)VZ?Is-tI@`a5Qk>5C+TPW ztQtwLSvp@KN*s>b5Tw-q*f1`;{*;LRj%+=r!0D4Ui_eW$7(`4B2m5g_7KegJ1OR#r-Q1KW-kq*pAMQca#*!5T z!ulH(!H><6e2L!}$vAc3nxPvtjT^eeX};J%am52~_b z0!^u74~^mV!yJ|wR}ZXdBxK5BYY5(avvG(fbdW_vj^Uf017`d->fl=Vp?A_jDoks& zX0M2L%zV+WL9B|HQioviQ=nDnb^0_Km>?r{VZ&gx6`E~eA~>*iJ|HzQf8nkSzx?5D z#edA2*v&86FvCiwXBvcr=1YaeY8~(G$p@=(dw*&}9g7<>LKJAf&^jX8kMB4~0MVRa z%m;GVVd~|4S~f;SN7OJC%1ir8pZpb&pZj*qVccRn{2{|dCk)DJ=9gfK#xN!@ULXJa zrq>FVAzd9V1XG1V@H+u0#`g{ex*m|oHTotTl~WPG)rO!X4zM6zI`B!P+^wWUQ=&A; z7xn3-N`RICDPD7%ZFeSyLp zH@-L8F!(;4W)b~Ql-*+=)H?H5rfuvV`a)-lJ}N_#WA6u!~-vKF!RVkbB8w@Mu2gy@1zQ zU@2V7hcCm2pl0-_nPAXge-D=M%1v2(el31vA1O%nm;u$=Wx2P6s0umspRA-VF4Y_q zhvarp5ciHgetOyGHCQ5A3D$4Fl~WJ%1yfkyg0$bP|2cXx))vMMmS=awG8R;X?}$I$ zGZQh}4%#+Zqa}^5ZZ<8_H!Lc6d|-8OE1t`R zkP7n!L&XTSOGWY0{z&&4+o*TF30KYd=5%R#LzU4)Xw?E$itdI=@K|biT0%gOTpL1W z4SvoK5xN7AC?^mm9OqxTJuW*4c(d=+4{m2hoIa?(wo_~+zg>5zWic?B1eO(+fL}Ur z)^ge(tO=Jlc*U7M+;!W+_Y*mhx01e%7pPq|1^%=kY)ZY!HW#&;85QdMXI`E*_N2os zXk~R+Qkr*bya>Fta4!D@zPa$o*V(#TKM>OAgUX+QG(k{d+SUYqsM|v-#L4x?zGcww z&0ER5yUQeS21RkMZ^)_}eM43rS-%z3g2d->tfx_97OqNaaZLO^^*>4#1AkYV6rEXZ zFrQUh_ham3;N`Xz^10OdvrDd=L+;VsFtfK*!ET`bloD8r?MS2`13K;^n5Am={@A`-Rxf9l7wm9ey?J!-;k+-4klcyYUiTaM`7olKGaBmeG;u?@YlJ!d}@cg z1Lne+z%#Ls-I`o$ZZ4h7c(de`++P@hB! zs#uj1(0^lh?iTbAROQNls&)Xu_we_2l9_z&d4n#nmT!qXnLjWbB}e*8p#g^O^H}eB z>$yR!_ZS5y;@z#WtIPltfgbkqQZPwc9QW^G{X7qHeGOdNvcMdhcN!ob2rmx&W7vZSC_k@Z-B34;JAJ+LuPpWtWV zO)N523`t-Ux_5jkWR=M;lwOVEIdndCeOF9Uu^z*A!l1_6aAoVZB`l`P9**VOd^Y3Y z4Gmsa*jb(%=T)pA|WLSAX z%fTeBOS0XER*f)j{6DJu@_4A;|LsAjk)@(VF-l1kWsPJ_iI6n*H9~e-6GpPNSXwAb zmaH=v>)5i5LS)G{p)r_wzi@_j&!kuh-}Ky*~du^A9s~&Y5%W`#$&m zeqZnFy3W?v!liDccDT9GFy$Pm1rMD96}Ni8EBFz|)H>Jl(f$WvIf&qDb93dPK7xB+ z$j-XupgtXxaX!`=hQmJ^w9_ikj&b%Su^vR8-l$u(&QQq~ZuV}942z0d9b9=jcOU@U zIm#5qd1(ElUchip{=o0{FMNW2NuZd21Xd!8e1s%cuW?S4b86XXo4a<`ZW~fBX(EP% z_f9e$)-$~25%+S~*M2B?eqL^~eWjM^-GD`{DDrM!;p)Siwc@2wml}akbYa~0XM`%K z%s)X5f1L381_~FXte{IUI*6M~PK50adq&QBz?+<^6f(^(4MYGg)8!TOF<8cM&OL0& zx%W{$UbX((Tqld}Jnn84`W*6{bN?v8j%Nh5T=dqsD(ZHiwCW10XZwOdrNe)(D!oxa;Zm;rKe(z-!t`SKi z=})84vF^ktl6mCNq56d;@rpS-(hT`zlT~D$e6=YT&^lZeP=v5D%ZnHhMWK$?seKPO z-Kn>=Q}f})jTw`)^-c}T)#ERtYbO?mrI*<27_6XBFftUqKTRZj+v50%Pn{XOG+!}( zJ~l4nLRZtTjn!+9#z5CmZHTx#9XX8E_BV)`G#@x`;%~FKm*mkxUV19$Q+{l97gAZO zTOgPTBCWu#;Jww7$PWl%ExI34#nK(g&pve1WRVd(Qc~&_oV-uQhPb)74^v93D~&6R z%R=Dc2(?j6bI`XBxLzLrLlx+|HpeFuoS`fvn% z-^k)U|Mmzb!sZ!2i~7-a!)puucB&o$2zC}jYIY`$Fy<@9J7=LwZJ0R$NF+U%^DprG z->APz66IQJiEIo#S;GQO7Fr@+-1?$gW{bD^xq;KZT#KDMU@877aP)zckHr%#!*Jc- z<2b=U*7x_Z0STQle!#0<)=?YG1}q97Ux!ri;1Z8ae8R+(0*X-qkOhVJWmp-4*&kv^ z!Q`XCOko1l=;1x3LSgQ!{N#pe8R<5DaCHHEu0%1jZ;VWIQGRpa7+<0Gx)*;cVj2}Q0 z!_6_}^6GaCj2%iWBd^KFQ9?7C7(1#vBa4;}ZpZ}-N+`zcVFl+z;Wm$hi3IYpG-?)>M%fw|WqdFg9RobrxDG1?hSH~*G$5kV1h-<#=^DFJHY|<68{!Y0 z#$$v_!r545bMuSA1=QscCRis_sR(8XXnwm~r%8W=*)fe_dh9oC}Z5DzA0IQ7W;t##Xsq?`Wf ztL+^ZW=-|(DGkunEELX`ok8e=t*eu0>;nCAQCxEgV;-g@|=-p%Afm8XoKKM&k zti<(lF}sHSQ2_862GzCz^3Nbpe?8@5+>wN&OCuDoZWT1^RBQ+{NvI@m%=^^GuvB5; z$9-%3UyQHJI>KV%0B91(tC+GC7e5&wAUH+ZOwrqPUZ);93`>WD(=5rDZn8|yEz+;G za8S;?b?O&Z_jZNHO|TY&U}y!ftz_i-qKS zNop|qa8E1ChoyUimRiZiHVBuT(nncA1OAAwXU)In2CO0S7g4r);+Ia8uQkOhRyPvG z*9aY@Yo%3Vc%=$YTFfcS@rhlqJizjV(PIxQD@bc#x6H49^7y&mb8CX#bge~c_NcyY z@vBxvryqkM03~E=*|z(*McT9Ir10w#gU`~bWN*R;Wp^t(VktiGT(wUugYs+86rDHV zY>q26ri+g-R>I0Z7vq%rS5XROD!cm&OZ(z4^I_cg%Atb!x&#O31ks6~=chfMR zkHar~sl7(T4@Pv15r^MDWS&UXjNs&PO_m(od+uyUF;dNT1-)Gxp|kS8O9 zC!6fOvT!<}+ADv(EM*LR%WhTa4PU+YjlJ4WlwJwP>6#t;X;BRLV8Cw!kiC>8*Ba3^ zXnKdBl8LQn&}R7M`>iJqsa}a=4_uhq+EbrJfu9{PG=ET%?B-WF-GWLq-={kEhOB-&+M@XoK!wjLZd!eNG-IP zlFzozqo%o2-dHI~}1{cQi zm#f{%o4onb_6m#u<(4S8p;jQAm42^>^G=jOl-5l(vnUgiyW!(5Z!Dbm4V;sm!p2** z^~#+|8XL`)_{H=U&b9}%4sn7{6F{nLrmtG;jB^?7()440BRzEDs!w?%TA z%^LOmH2w5vjN;em4Cq8H94b(N3Dv z&*dn&`C|=HO9$HdxY!U;QeAe5zv#+;KFRK{jipl#`g^D&rUs#3glh`xfa3yCHYaWM9@6 z`n6xp%TeC8`asfoD*Hy@Tyk@a-gm{C7xRiPO6#e97vWVV40nSWRmj@$6<5~>)}KD- zyd=+xD3F@R%l(%e@=hYjg&D%=y@^4e^zf<_Tb56jP67|I|MZu6*4{Ax(8 z4N4n3Z6R)WH%DpS@^Ne`fl6%KczY0W)lB_d+H})oI)rNe#CImJfcpIgFGOI=*uXwq5kqng*2UjuD!T}m<>8Ivd zU~`b^CjF~yKGEt|iuFSchvC&NG96V?YHd?)Dj9>(R4;Prt;SSD`EL)1MZWJ^!F?TC z*t6QZKX3^POC$8!0D4T0$B_OlFhY^ z)S$CZ5KJ#7bB5nehmTt}#56d3Eolrgtu`cOTpu;B)p1E;scC#ZIg#h;6A_wU9AwAl zb=pZ+T5VzkYk2X-6zNG&d{ABGI~_k|Fa14lK)40C$;Keo0`%fLs=I@IK%5wCxAaI* z;n_>x!J3hra2)Tv>qw~2`{`L%D=)SxTEGQ|liQ^mZuylT#nc_^=r%bF#P`#oBK)q2q`>DMH*L1& z);mY4B<@+(R*T4v5^j92I2HcNeRy$V2BiqMB+(YSbEPNkQ;qY4;uNOxi}N4nM^wJw z%n16aHM%N)q9izNa^mRx!Gm|HqF+UuORtx`9tbVA?+-1uV?A!meSDX4l@(yWI|#{^ z%a>R1e4DYqwZxRH9(AisNQ0bH&YLn|z}|_~K2}L6?4jK*t!FprQ(nv~oY!!@>AMN@ zuC2AmI^(#qo`992sE!F=NzKdvGPx3O4q%wWiaIN6+MAx*CLhi_UgLCIAB&}~eviNG zWbJ^%6sA(qELG@TTP8AndDCct!wy%)t1}Tl^O9qdbI_%ssQ5&R5mIPdk}7FAy$;=t44g zI<#?qeVf0>sL$`|ra9;-s!}JxCCVn}_&lracGDnB;!T zs?zA*TU-9ptLsYWv}!lU<-gfx}x1SV=xXvkV_I- zh`1B{W3kg4bu@7q31KBi_;HYMLouI0v5&fQ@A7A9Rf(iZ`?cw&SWni&Fk1<5OQrNW zd{-y(eq<>}&|h5dk)BbC59o!#zCrLCpvwF|M$zecfJrh~;$Ov(;5t{tndh$I2K2t* z^kQ*PK{lg!$QyH$DZzQ}X&X558Bq8VaLHl3f4g(igiO~2DwpNjfY$K63llrcVraiU zpzz0U?U$tq74O9o&EYj{H91CS1ZL2cikyKQ8xc9qZi8pqTI*WN_|V506qA z0ZNJS^Qa~Q*9o(1paf`g?pprnJk8^o2Mi}%2j87bBPju-Xs*t+a?p&51 zK_dYFP<~LEjAelEQDzv?mL8u}pV!BqyA=)`*a*y=VNA@gE?HJL3tg6NVdem6+`-Ui zL-QVCFF~4HK`sQyReZPPAoEcdLHQ5(*4!LX;E|#K(*`aa*D3>&aPRrUaKxM*V6vsN z?EFrP5Vxs?3Y8^h?P=sey1r}pa+Gqs)EZR%>X7-6u_NtV+z;nPc z1Q>eUeM}HJ*3|?M*Ah|Ic6X{4_KXA&oQ{Qk;jrM} zJ3!PQidhQN_sXLQxbSe6yqUniI5Avp{25;urQcpUAnXkCgV8=N(D``O=R(*&E&>PlM7 zIlX8Awj~7s%LiT(JITD&VAtE%$yG ziv)gW6pQ0mcGN4b>PsH_13~QjVan^!R`2o0t6e}RJq+XWu38$g*;v^J4)90-d^L(c z{yAp#W*G()0-(n<gj)EMlDR>*;k3 zU65YMVvGvf!p&(%02cHXR70RCGyU?pBH5AIewo?#YR&@~^>|O=+V$8WG-19(j??Xa zaRQLFLBWOQ2=;t%$?t}1{od8Nzg{Y`*fJt%Ej1)@8ZR4^=I*lS>x236`#1;KOPi249s{mf-QNY$|;l~0X-WYgd;E3R{dL&Z{T%bjH&&__xt|G zY}K=VRrZs1j9h@b1t>`5l4)vto4wW-f^)JMAk+X%Vt2}*Cf+AaQ=I5*H!$*wb>tV>+gg1GYmm zRp!MM6IANJAB&x8*CA!(3^>cYzzLcEMh6`*}8smA{Lh$WDk=g=RiSPGg zPNNkfaZWdAvuF#Qjusv-$3Yh(J=eN1 zEOR-dSFdkeNNR1Xl@r;mLQD+gfS(+2T`Jq=4~^ktkN#55`NxAcHuJU~7s-LjjtYzH z5?%TUidq;Sc9d=u$^{!Zq44Q~g`D20FG|VJKO_gunD|3Y*axXU(^5w8jfqKMh*AC2EX@quJ*U21M%-3Se8^GLlIm(T;sH)O&u*0w=<1+F@x{GoPkGt*+}d=V zvxqrmz#Y(FS#Q%;4ARjvb&`SiP;cy<{DY;oDBI}@_pmXvCKHRmYp7i4f zr`u26827>HavrR+=Ogt;Dw20{TH_ksBGJNd1YJI&Xn|TfRaP^@@{ulP6_q3kOR)i^ zK-iHxV7KRnG8-57F-Ls9ATU%QzUpqtBNU$GYxJtgpiI2YD?|F4RHwp0vuQK;inX%j zCvI6P<85-RQEH3D_s;k^T$+QPS};k27B61EfIyF8oc?Y-@A`AxMoI>sIpuY^7Zj07 z(r#}&s1B9ldsCUpAK^OfsT*GzgT3n9fIIGa$L0mh1q8on5q92? z?z!>Xc}!Y5n;&=;L!!xoLrU`}JX*|PFb;^sQgDcwE2_0~0Ms>0grL$mC5?G6094ta z68yg-)%QdJX%S7zlNRW{r#X&4{(OP~;y(i95g@m&=SvL+S%8)9u0LdMQ*|e z|IzBl|KIFWSiv^%IVu882bi#1K7-E$^GwN)ICn^B120sYk+t$)WODoMFopq>u0ZDM zi+{5|;G4;D$`5wtIgBwK#=MWHbL>GnC^@A|f)x-9t$(WE@V}R=f5uhv{~Gn+?LVjw z`1dvTZ=UeUwqrq8^7AYfQ$h22?Q$&pg&+;a$^j4R-=95~=c3*WmGPN60^>k|I2WU0 zVyWqFfrK#FOS?+Gf!?PbX9}*lnOcL($Z_6MLzRt+^OW-+0~Xq`Qc{%Drw2!kom__0 zFnht?JZ+o*9Y}yXEUoulp#m=&svLI6duL%Ghl7XDb7HtxL>jLct;m z_7VQp*0t@1$)}&!5WEaJ8?cI$xfIa%72}YTnIr6Ifo&J)!%l;uJ8DX1%)c5qXZ(F~ zN;&^*TBlN#M~i#|6y(XZl)+Z1lrso(Abz_8pi2MQkp~yROP+|yczH^dDa-@ zHQ-{u4(s}=lqwQAhf9VYOb07@St(#cBOgz~>-uba^`XA=00tvW*{RdkkVv=Nl-V#c zC}J-|5~{7dWk6;P1Hkt#6`OnQSw&l?78iBC$_({>so6hU&lm=MX>v9@;M)wYq5THM ztP7U5C_r2;+6tTBA^V%C67%mXB}t#aoOkjpnz$rg>gj6HM|Ca>)Dk4@TodoByYKSa z^V#rC)Wo6OBZ?-LhU5+%%0fNSZRcD=%jA~yjI#=>ltwR0_ui$|G literal 0 HcmV?d00001 diff --git a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx index e340e047e7..efc30e7934 100644 --- a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx @@ -1,10 +1,10 @@ --- meta: title: Understanding the difference between Key Manager and Secret Manager - description: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs + description: Discover the differences between Secret Manager and Key Manager, and learn which security tool best fits your data protection needs. content: h1: Understanding the difference between Key Manager and Secret Manager - paragraph: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs + paragraph: Discover the differences between Secret Manager and Key Manager, and learn which security tool best fits your data protection needs. tags: key-manager secret-manager security dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx index c86295a85a..ef55ec8e5c 100644 --- a/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx +++ b/identity-and-access-management/key-manager/reference-content/security-recommendations.mdx @@ -1,10 +1,10 @@ --- meta: title: Understanding security measures when using Key Manager - description: Discover how to enjoy Key Manager and data encryption and decryption securely. + description: Learn best practices for secure key storage, DEK usage, and cost-efficient encryption with Scaleway Key Manager to protect your data effectively. content: h1: Understanding security measures when using Key Manager - paragraph: Discover how to enjoy Key Manager and data encryption and decryption securely. + paragraph: Learn best practices for secure key storage, DEK usage, and cost-efficient encryption with Scaleway Key Manager to protect your data effectively. tags: key-manager security-measures security encryption decryption dates: validation: 2025-01-06 diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx index 613a7d9384..9a91f1e66e 100644 --- a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -1,10 +1,10 @@ --- meta: title: Understanding Scaleway Key Manager - description: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. + description: Learn how Scaleway Key Manager secures your data with encryption hierarchies, key lifecycle management, and support for advanced cryptographic operations. content: h1: Understanding Scaleway Key Manager - paragraph: Discover the robust encryption methods used by Secret Manager to safeguard sensitive data effectively. Learn about the Hierarchical Key Management System and its pivotal role in securing encryption keys and data integrity. + paragraph: Learn how Scaleway Key Manager secures your data with encryption hierarchies, key lifecycle management, and support for advanced cryptographic operations. tags: key-manager encryption data key dates: validation: 2025-01-06 @@ -19,6 +19,8 @@ You will find a diagram in the box below on best practices for how Key Manager w It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](/identity-and-access-management/key-manager/concepts/#key-encryption-key-kek), which are used to encrypt and decrypt [data encryption keys (DEKs)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) stored on the client side. + + ## Why use data encryption keys? Unlike key encryption keys, which cannot be accessed, you can use data encryption keys (DEK) to encrypt your data. You can also use data encryption keys outside of Scaleway Key Manager. diff --git a/menu/navigation.json b/menu/navigation.json index 4ac18046be..382168c1d4 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -519,7 +519,7 @@ }, { "label": "Create and manage a Key Manager data encryption key", - "slug": "manage-dek" + "slug": "create-manage-dek" }, { "label": "Perform key rotation on Key Manager keys", From 914e6760d5e0872119d976a7ba0792fc4096d50a Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Fri, 3 Jan 2025 14:58:56 +0100 Subject: [PATCH 5/8] docs(km): add missing page --- .../api-cli/create-dek-api-cli.mdx | 11 +- .../encrypt-decrypt-data-with-km-dek.mdx | 279 ++++++++++++++++++ menu/navigation.json | 4 + 3 files changed, 287 insertions(+), 7 deletions(-) create mode 100644 identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx diff --git a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx index 17bdb8dc1f..c071e0b299 100644 --- a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx @@ -69,11 +69,8 @@ Key Manager **does not allow the use of data encryption keys for data encryption However, you can use the DEK independently from Key Manager, for example with the [Tink extension](/encrypt-decrypt-dek-/#encrypt-and-decrypt-data-with-tink-and-key-manager) or with [OpenSSL](/encrypt-decrypt-dek/#manually-encrypt-and-decrypt-data-with-a-key-manager-dek). + + The way the KEK is generated, its length, and the encryption algorithm used, **cannot be changed or customized after creation**. However, unlike the KEK, you have the flexibility to choose any encryption algorithm (cipher) you prefer for encrypting and decrypting your data with the DEK. You are not restricted to a specific encryption method for the data itself. + **We highly recommend that you use standard and well-established ciphers (and the proper mode), as well as a library like Tink, that chooses the right cryptosystem according to your use-case.** + -!!! info - - The way the KEK is generated, its length, and the encryption algorithm used, **cannot be changed or customized after creation**. - - However, unlike the KEK, you have the flexibility to choose any encryption algorithm (cipher) you prefer for encrypting and decrypting your data with the DEK. You are not restricted to a specific encryption method for the data itself. - - **We highly recommend that you use standard and well-established ciphers (and the proper mode), as well as a library like Tink, that chooses the right cryptosystem according to your use-case.** \ No newline at end of file diff --git a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx new file mode 100644 index 0000000000..4ddd07413c --- /dev/null +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx @@ -0,0 +1,279 @@ +--- +meta: + title: Encrypting and decrypting data with a Key Manager data encryption key + description: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. +content: + h1: Encrypting and decrypting data with a Key Manager data encryption key + paragraph: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. +tags: key-manager encryption decryption kms dek data-encryption-key +dates: + validation: 2025-01-06 + posted: 2025-01-06 +categories: + - identity-and-access-management +--- + +This page shows you how to encrypt and decrypt data using your Key Manager [data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) and [Tink](https://github.com/tink-crypto/tink/tree/master). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Created a key encryption key either from the [Scaleway console](/identity-and-access-management/key-manager/how-to/create-km-key/) or the [Key Manager API](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-create-a-key) +- Retrieved your key encryption key's ID +- A valid [API key](/identity-and-access-management/iam/how-to/create-api-keys/) +- Downloaded and configured the [Scaleway CLI](https://github.com/scaleway/scaleway-cli?tab=readme-ov-file#getting-started) +- [Dowloaded Python](https://www.python.org/downloads/) or [Go](https://go.dev/doc/install) +- [Created a Key Manager data encryption key](/identity-and-access-management/key-manager/how-to/create-manage-dek/) + +## Encrypt and decrypt data with Tink and Key Manager + +The [Scaleway Tink extension](https://gitlab.infra.online.net/secret-manager/tink-go-scwkms) generates a unique data encryption key for each piece of data that it encrypts. This method follows the cryptography best practices of using unique data encryption keys for each encryption operation. + +Tink is an open source cryptography library written by cryptographers and security engineers at Google. + +In order to use Tink for data encryption, you need to provide it with a key URI and a configuration file: + +- The key URI points to your key encryption key (KEK) in Scaleway Key Manager. + +- The configuration file grants Tink the necessary permissions to access and use the KEK identified by the Key URI. + +Tink generates a data encryption key (DEK) which will be used to encrypt your data. The DEK itself is then encrypted using the KEK from Key Manager. This ensures that the DEK is securely protected and can only be decrypted by someone with access to the KEK. + +The final output is a single ciphertext that includes both the encrypted data and the encrypted DEK (wrapped DEK). This means that the DEK and the data are both securely packaged together. + +Scaleway supports the **Python and Go Tink providers**. + +### Configuring your environment variables + +Open a terminal and paste the following command to export your environment variables. Make sure that you replace the placeholder values with your own. + +```bash + + export SCW_ACCESS_KEY="" + export SCW_SECRET_KEY="" + export SCW_DEFAULT_ORGANIZATION_ID="" + export SCW_PROJECT_ID="" + export SCW_DEFAULT_REGION="" + export SCW_API_URL="" + export SCW_KMS_KEY_ID="" +``` + +### Using the Python Tink provider + +1. Open a terminal and install [Poetry](https://python-poetry.org/): + + ```bash + curl -sSL https://install.python-poetry.org | python3 - + ``` + + Poetry is used to manage dependencies. You can however use any package management tool of your choice. For more information on managing dependencies, refer to the [official Python documentation](https://packaging.python.org/en/latest/tutorials/managing-dependencies/). + + +2. Add the [Scaleway Tink provider for Python](https://github.com/scaleway/tink-py-scwkms/tree/v0.1.0): + ```bash + poetry add scaleway-tink + ``` +3. Copy the following template: + ```bash + from scaleway_tink.integration.scwkms import clientimport base64 + import base64 + import os + + def main(): + key_uri = f"scw-kms://{os.getenv('SCW_KMS_KEY_ID')}" + aead = client.ScwKmsClient(None, None).get_aead(key_uri) + + plaintext = b'message' + ciphertext = aead.encrypt(plaintext, b'') + + print(f"plaintext: {plaintext.decode()}") + print(f"ciphertext in base64: {base64.b64encode(ciphertext).decode()}") + print(f"decrypt(ciphertext): {aead.decrypt(ciphertext, b'').decode()}") + + main() + ``` +4. Create a file named `example.py` and paste the code from the step above in it. + +5. Run your code: + ```bash + python3 ./example.py + ``` + + +### Using the Go Tink provider + +1. Open a terminal and add the [Scaleway Tink provider for Go](https://github.com/scaleway/tink-go-scwkms/tree/main) to your `go.mod` file. + + ```bash + go get github.com/scaleway/tink-go-scwkms + ``` + +2. Add the Tink library for Go to your `go.mod` file: + ```bash + go get github.com/tink-crypto/tink-go/v2 + go mod tidy + ``` + + The Tink library for Go is a cryptographic library that simplifies encryption, decryption, and key management operations. + +3. Create a Go project with a `test.go` file in it. +4. Copy the following code. + ```bash + package main + + import ( + "fmt" + "github.com/scaleway/tink-go-scwkms/integration/scwkms" + "github.com/tink-crypto/tink-go/v2/aead" + "log" + "os" + ) + + func main() { + const keyURIPrefix = "scw-kms://regions//keys/" + keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID") + + client, err := scwkms.NewClient(keyURIPrefix) + if err != nil { + log.Fatal(err) + } + + kekAEAD, err := client.GetAEAD(keyURI) + if err != nil { + log.Fatal(err) + } + + // Get the KMS envelope AEAD primitive. + dekTemplate := aead.AES256GCMKeyTemplate() + primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) + if err != nil { + log.Fatal(err) + } + + // Use the primitive. + plaintext := []byte("message") + associatedData := []byte("example KMS envelope AEAD encryption") + + ciphertext, err := primitive.Encrypt(plaintext, associatedData) + if err != nil { + log.Fatal(err) + } + + fmt.Printf("Plaintext: %s\n", plaintext) + fmt.Printf("Ciphertext (base64): %s\n", ciphertext) + + decryptedCiphertext, err := primitive.Decrypt(ciphertext, associatedData) + if err != nil { + log.Fatal(err) + } + + fmt.Printf("Decrypted ciphertext: %s\n", decryptedCiphertext) + } + ``` +5. Paste the code from the step above in your `test.go` file. +6. Replace `` with the region where your key is located and save your changes. +7. Run your code: + ```bash + go run test.go + ``` + +
+ +## Manually encrypt and decrypt data with a Key Manager DEK + +### OpenSSL overview + +OpenSSL is a software library for secure communication over computer networks. It is widely used for cryptographic functions. + +To decrypt or encrypt your data using OpenSSL, you need to send your encrypted DEK to Key Manager using the [Decrypt data operation](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-decrypt-data). + +Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data. + + + - **It is not recommended to you use OpenSSL in a production environment**. + - You should **never save the plaintext DEK on disk or any permanent storage, as it poses a security risk**. + + + +### Encrypting data with OpenSSL + + +To encrypt your data using OpenSSl, we need to: + +1. Decrypt your encrypted DEK using your Key Manager key (key encryption key) + +2. Create a `plaintext.txt` file in which we will paste your plaintext data. + +3. Encrypt the content of `plaintext.txt` using OpenSSL and the AES-256-CBC cipher encryption algorithm. + +Open a terminal and paste the following command to perform the actions described above. Make sure that you replace `` and `` with the relevant values. +```bash +# Decrypt the encrypted DEK using scw key decrypt +decrypted_data_key=$(scw keymanager key decrypt key-id= ciphertext= | awk '$1 == "Plaintext" {print $2}' | base64 -d) + +# Put your data plaintext into a .txt file +echo -n "Your plaintext here" > plaintext.txt + +# Encrypt your file using OpenSSL and AES-256-CBC +openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p + +# Remove the plaintext data +rm plaintext.txt +``` + +### Decrypting data with OpenSSL + +To decrypt your encrypted data using OpenSSL, we need to: + +1. Decrypt your encrypted DEK using your Key Manager key (key encryption key) + +2. Decrypt the content of `encrypted.bin` which contains your encrypted data, using OpenSSL and the AES-256-CBC cipher encryption algorithm. + +Open a terminal and paste the following command to perform the actions described above. Make sure that you replace `` and `` with the relevant values. +```bash + # Decrypt the encrypted DEK using scw key decrypt + decrypted_data_key=$(scw keymanager key decrypt key-id= ciphertext= | awk '$1 == "Plaintext" {print $2}' | base64 -d) + + # Decrypt your data using OpenSSL and AES-256-CBC + openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p +``` + + + If you do not wish to use OpenSSL to encrypt and decrypt your data encryption key, you can do it manually using the procedure below, which follows best practices. + + + +### Encrypting a DEK manually + +1. [Generate one data encryption key](/generate-dek-cli-api/) for each plaintext you want to encrypt. + + + This ensures that each encryption operation uses a unique encryption key, enhancing security. + + +2. Use your newly created DEK to encrypt the desired plaintext securely. + + + We recommend using **standard and well-established ciphers** such as `AES` (Advanced Encryption Standard), to perform the encryption operation. + + +3. After encrypting the plaintext using your DEK, concatenate the encrypted DEK with the resulting ciphertext. This ensures that the encrypted DEK is securely associated with the corresponding ciphertext for decryption. + +### Decrypting a DEK manually + +1. Extract the encrypted DEK from the ciphertext. + + + Extracting an encrypted DEK from the ciphertext means that we are separating the encrypted DEK from the ciphertext. + + +2. Decrypt the encrypted DEK using your Key manager key (key encryption key). +3. Use the resulting DEK's plaintext to decrypt the ciphertext. + + + Use the same cryptographic algorithm and decryption mechanism as the ones you used during the encryption process. + +4. Delete the plaintext DEK from permanent storage after using it to enhance security. + +
\ No newline at end of file diff --git a/menu/navigation.json b/menu/navigation.json index 382168c1d4..421ab3b016 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -573,6 +573,10 @@ "label": "Perform key rotation using the Scaleway CLI and API", "slug": "rotate-keys-api-cli" }, + { + "label": "Encrypting and decrypting data with a Key Manager data encryption key", + "slug": "encrypt-decrypt-data-with-km-dek" + }, { "label": "Encrypting and decrypting data streams with Streaming AEAD, Tink and Key Manager", "slug": "encrypt-decrypt-keys-with-streaming-aead-tink" From 95b9516cf726ee2f1b67b3d95dc3e6c781e561e6 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Wed, 15 Jan 2025 11:10:10 +0100 Subject: [PATCH 6/8] docs(key-manager): change schema --- .../assets/scaleway-key-manager-schema.webp.png | Bin 0 -> 55173 bytes .../assets/scaleway-key-manager.webp | Bin 28656 -> 0 bytes .../understanding-key-manager.mdx | 6 +++--- 3 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager-schema.webp.png delete mode 100644 identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp diff --git a/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager-schema.webp.png b/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager-schema.webp.png new file mode 100644 index 0000000000000000000000000000000000000000..d1a9219d690d47eb3600f156ccc34d9bc1ee9004 GIT binary patch literal 55173 zcmeFZc{r5e|35mUB1MuVLM4=4_FW4~L{SoEL`XvRWrk5i5-LRY$i8J?1|v%oVPxON z*muS{V`j|Ec}Ab_Ie(ttxqg3~bFS;-y1HVX`?;U{x$pP#dcWVV_e7Z7(?4~B?*s@0 zI(6svtp^~`(PrQuiuoAu$;)c&6W~9VSGO%ZL7>wq^nVPZ-D(QJhYX$%^lyMldd@Ec ze=s>-H@Xf2mBp|gJUt2m4fEZ(b=}O5VGYAtYvmm%a{#||Ig$0k>&oEIFQ2%UvzSS9 z-168OGRS;%mXWI{jI_dGD}_I*!4Z>`y9B)zz*wvmcRnWL-4#K(>xDKK-r4B%HtU^! zQXXRPLYjGwktLyF$5P!HpVYB-*9Y&tj$ZU%c!p2=>YdDj3R+CS!Edby!>#IEaONKj z`fD058BMy}QVXy&K$!(K`pzqy*{I3SWCK!aNb?U|fql28~O*pybggg7E=(jiPKy~Y3{X*4&_3Fm!UW^*7NPUM` zY%J&D+$Xs)iA*>J5OzP@MHG2B9d8^sNRG0Xc076?tRLh1_;tB^clDpxO@8_f!Pj5R zxh@y}eb)DP_LNw2x^?5an|`z*#OQD~+1je6AF7o0!X!NnYg#iK=hUY!<}El^u6KvK z(F{s%Admd|if3ckmv}%D>c~v^w+JraUELlxx&%;4of$VBX+PGjh4pg?|6ZT>hTew} z_Y(~{M_{u;)y0N6|5@gn>c$j@4_J8HIuSj{vbjDx{Xg$?eb01i5Cm(Jkc6?&AJBYS z>5`F*&ud49eIawVD;Zk@D^gi6i(PlecpeRc9iMUV8 zss9<;)aW}dEWqijN8O5vzidVM_pyCh#AufbrGg6@xnL7Gr&#FHa}K= z=JqW(f`4zMdyu{@SHe}4*2ybdEYEA!=XcL>PMQ25j!G>{2tmGVkncNl2c!osmpP4D zz`y)jQxvBg%#)(XrXBX>=v8Wk2ULN7L7fawNsJC0pJS?&XJ8vICa;H8PBq@`8^gNf zF=0{JNYd|Vx;L=-VM%WLwOeOV^WEF{WvA#*taTlO3+EK~&(QTIuZ@`goKxsr;@!zh z2XtT&_94&3dcPTxYuclxQs@;0A7!iL2)^0wi`LuChUmB=mU znP->64)8?_T&II?J__`hP1ry;i9|KI0V9IHJzoQ7^=ZTGo`@VwCI$I<-(_T)`WRHZ z^m7f}FP-!m7z22_yqgghk#HpGy6MzM;BxV2SX&4DGX;K{e)%Tmsw2fh=_oZ)sMtVu zf~EP~&`fgg5>;zsVE8g{J^0$Yy>4KS3O@T6-Tim{(g9nU4t<3>7Hhu18Q^R9IZyij z^Fvp@K0Yn~!o;SQ^S}P-f5+Vd>alb@IoU5Sq{Vp)Qd1r(%HJ%)ZR zmuh+V@l_1x(GS9240N1i6^czy_P+aMZ^|^E7)R+(o`m}`lCYgztNl^w@C%fg1#FJ7 zlz-%D06_%z0p}AaEs7LANb}vRRM<&rJtO<-3wS5Fa&y8y9+?pH{Xg=P(d7k<+=yNk zG&aS`S?r$*(K*ok0FU5+%K%!FvBor|lTKHF0k7Rqrju;l{cOLfU_g&`M*oXL{!eV? zRKq0up=zS6J^<;|spYgbndK~q-QE3Cx&1n~KsyElHJkV6?6Wa}zvL8)DxCP`ORSG) zFDh;Dao$^8FvTBYN_zmtg;f#Vz*dd$K|9Bd)4?(tz7|iYl%cgCrY=_3)YM~<%;k$n z|2un&`M8u6X)4|l0mEeHQdEj9sxBggUi+sg)0OsIz7E4u^IkexSMh+22fpZnN%|pp z<&WEo?wl6&irpmr!s)|t^aJF33~LXG2OUsX(4I&?+ZSr}J1eowUuK6MGGh|BA%FXp zXNTb%O#{~Mf<)Ez_h~Qf%<%{b+|8{ND2enMMgv47_=&g)Xr;&rW5OAP{tADYq>0N5 zLr49Pzp+@$6@q5|dVi0nL$}C$Xe{*AF4A)P} z+DR;sxtuBj^;kHf<~V^%F;Lfe#f zV%skCUHa@JsLLZqv_+k5VE1ZruE57e+8+7+;sQkU897hGaT+UCm_my^Rl^Q!>B*A} zDmvFgkvrJ(?|g6W1)}B@7C+mm2fAjNsJjU^!H z2No#Fbp>=Zp((dkXRcNOx8fwARl^$)4al96zb2uav%jliymgV;e&^2g%OrpN+=|^F zwXm~SEGs?2vw3xmf$axoFTJspFHY}O{nXItslr<~+~qnB>e_8o#pSncsvh4x z^Yf+PkY3{XX{R!8p=|kOe$qJ z)^4Xn*zPcgawDELl=%8^-fC2;19Z z_l>>Do^aDfAheXkY`abs^OQVrkg2m#9vG{RiML(vn2``F@|R>E zQXh962%JkYR<#LVNr;F=`66O8dMc<%UDU@=%w4P41FIe9SRshq!Nv>ZUgH7}cE4Jn zsq&rE228C9Oo4(+{kqCZ^;oTbRofv=v8t--i_uLAbX-G9XL%L8e(86Yvy!b`yWT}t zS0iV#f`>-UW9!f3yM|DEeYx*Z84B#*?bI~b!I9qrjJfZ>R13gLTE)2NCkj4w2`y{y z*yyQ7EJWb#)~;NRY1c#uGwucmfd9-?je`BlTk+yJ-7QLfQ}w1+TbbgR{`ifgSl_&` z{8Fh1QgTV#*#J}PW{iS8*42EFE{v2vOe)PjJaBUH;GJn^eHqQ-RUL&}z30)TNW~;> zw!a){I59>{(an1Ao8D*C1Xr&xZy3l;MXSa2PF~j%XZ?)G%8FQio#Gmul+ZM=q&eY! zzefQ2TkM`7J*^P@vx7eS{VI-&ev(Y*GTC8&kNP@t@$J3WME|wGJhZV+N$II?mbmCA zXo8yab+=Wk9_-JkQ@JY8KVOE`XmhbV>j4XARpLfpWhCllmLh7n2ndgM(^KiO@Q&WE z2Y18uhD-iBuOjLrA;DhH9G#u$4}ERVcs}C-<6IpC7Pz;_{E1(R*W%=jtd+~FckqchoK|w9ji+-C0MuJBIPr~RkeA~nW$Ufw%wox zrJS{$2&$e#n&)k@v$ngrk+GjwKB{aEXSZ8G&r95lJaIPo*h0|qcgb7bJcU-f5r~RA z^DqN7#x>O)NJ0sum%B@EiLZwA{u8qg&x9IcTI6j=J>EJ(p?HM=9Z-^+dA>*UP0(YBr9v;WKHWpkbY_EPX4U;Pkg~zV>HSR zxdjfl4JWtVnf39%CIqZz2`<{qpeBo3S+>|bcjl2ssKEey>ht2yj7n1HTngdMGmy0@82JK@2Lb7k@?G z_Zj@#G&N*lAqJIxgR|WifQYsw@E)lHT>&22D=*so`e`xm*XXD%I@(piUMRg_vBp_C>LWI+j&&O-n$w&zGR5DK$HE_v zD++xoFrDBO8%{G7e4`(}zl|$>0lhchAiN*#{CD&+G^M{mw_k#+r2sA6*^y{!0*B5J z>lBQ>egqaD{L`uJm-fr?FE)t*`x|2YZwS(Nb`lyy8u4@5cXp#H@YDcq?t+hbTu)tg zUoMsetaVv$&~nP|Vt2A$$Zk}OfH^%e{kXdT+EA5B^u9ZW?~~{|a6=o&TDd?~1AhT3 z3bG(o;g9mzksj}3-f3X5pSMQgd@fKxWoSX!wmNyR3VKA>C0J)D`cr#{Ycp3F3akp!2C&u7z zsek1drg8uMm$jjHe1i00U_DU~$-3;b9iG@7krt^dX~)p@_U<@C7j zq!1u9BnvaIvtpmJXvx;{?%VqcZhv>z>ZKtQNsmgN7v75Ci_6I(7y-EWDr+Yl>P+i` z*m}{I-f;yGqL^E<&H#CI(1ko5x*7goin#%t*ql+hye#Fk#U(YE?wF2E`L&^0zo05% zUS#|SiA}xyI`_|~rEV|uX zBmYxZipGxvm=1Z!2~rKu*W zCjqya~D@_IBq9j=a zm}%Bu(Llouuo30J114ky-OA3;Bl!#o0M{CnJWjqw7YstA*ux`>an<%Tw}I@lxivf! z*AR`9&mI`iaUZFc2U2GT66nX?Epvx4;i!4^4dimm&io@OYdHka(QqAqIBYM@8(p)kg6rC51I z49mElyEFhM?dcar+AIudlsye!9E`l6&RzaNS31)6MT6#tn5(#`)JNHEO|z;-hv9k# z|KYr^Jzb zb|j6#<5TDX*TToGeV<4ay3O~x1!6OK;3=&t-L0|s<7K^iPQlLdYGQp)5V%^+ItYg# z7vKA?&ieS*T!3TX^tVD3{lGmKUj<(mSF4G%?W+%JsUI1~+%~jEr@$U_hw6hG0f#vn z=RNSQ%{dDJ#S`@h&C=RDXX^HT`gsK^k3j&TA2@H!wA$T|$4>jVA5|_ynX9HVSMKC* z)Fq@2Y*qme0BOoyW01X~3$i}hV8`$~^W|0t8>w6-5FOKp(6f%mY(M!l0%n@7SQK~| zIN8bNLKz3txsHTj&f>9t<=c(FbQ%eWuWM~7py|b5JHdV%>*`GNk>HGbd{H{7}z)LYslVDvN*3jiJR&Y(l4ICnZ;2Gb3Hw{ zd!goVL#cgo&p8I8<=s?OZ{sM~hr(HYsgmhcT{JBPOfCq75dj_NZOcr%oYRn1e)(3d zRmx}Aq;lgY#OCP1OBMt|`Jlx|f$gKRk)rqb5;SF$fq-Cn7FAj}I^5^1G@zl)UHr0= zd4A2`wETT648Aos)8=dVP9N!e7jr2Qa5XW;bV+^Uw^6?0Y-ig5W}0uGrCYkC_kh#C zF8SgvJ*Mi`Aotc|V>)llGN-9u1MH^cK=f2SwMtGmh}f9B{-bo?dadxW(*qcFq)`vI zOSSFP0P|n>)xR{-wDMQpdBx;?Ddg3kBD$W?YgWxYvJ7mpzja@wy!{hzsrAr$?O4pK zdSMR9MOGU-ncdqvGWme(V#@A$=Xe)VaC^Qy=LM^l6t^fT9aRGN5$_1e-sy z+K-B%xxPrNhCiwSe3jInw3qM=)$ol0FI8Zyjxi8mkJ#TYz2-<=?b~DBKnFz&;u4uk zc~U1mwe02SN0|ZtU5WtO0$Qx#JxhUU!V#~)2Ibr^fV{%uK$u$>g$RQIv}>)WC|Of zIZF%bu&%enuJ(UlpVO6P07`u02Wvz0T_(b~mkQ@k10>J3h8c%-RQS+D0hq{CBUlaW-HuAjY8J z&yNY?QOnrUpu96Mnm+d%c4fKwCVUO;Q!3mrM2MVlJlhwt$>W4Ij{&5xHJ)B{M zm?Ju4iEedw_Ay5Yl%{t#+~ zh5i%_5+a5j>B|>VRZ|qGg5Y;<`ckDaJ{aNUZ|Ry}k0om`(dK-q1_CEQCNJoY(55$% zZS^N_P|T>aSJK|}Ri{TH`+}Br5QVKG;l2-@F5R4HhwJ+;SlH#_K--&qlG~?YKVz_8 zf32wkrGvOnhi|pp6x6YOoij*(2{WK^F*WEfOFnV#2m(fJ3&9&Ynx*mAd{Kv|zn!iz zZ`u5L;l?HojQ_LSgf;~Bg`V02^t38{a#LtI7fX#%=*^s&`)x3Vc|NB8GRWcXlkNE9 zeV=7Ye+z0)4|F&Ug~!|h^1w}`6y~m3pI^GD+;H)y`!!9kaKXlJX-g}RTsxY_1GO38 z;DO17|4mMVj>`1wL^$EjISM{vsbF_iSr_=`Yv`@NDe&6I)iiV(5_AEf`&?_btF`|_ z1zV|>py@OxdQ86Xc1Latj`*|lCG^NNR*P!-@XCLR%)!?sa$=8Xk}l^o3hzeu*8i;p z&9V-&`4%eibf01Q1FP|K6)wT?y2S<5@n_Rrc{hlEk(zN-(i`M$ zV2PIwmsrefPrmD$)0p6zJ|KM$>T50;R<}@JeN=8Ie=|Q<$)0?QqY`~ZGKE--##*wp zz_D&zS7~5k`Lqk%_xsgXK$ZPa2s6%NuoO9pK>y_5Re^6_`u&rHgA1Y+@c#KqU*CDt zX$a++*IQ-#r~9AY_G*eh=%EcO+Y{Un8`D8wPhbI+^Fp19$wq1relvkgxDTbn_cd8v_=m+Z;Hr5C4pb+1S!Eopv;f z)^sJde5DJ^}Vi|$!YxOn!Gy9BDu zd`1#}qXahH#V`Ji@<~kSV^8g7Xqf4=P{Zz=7rHx!;3uxJ;s^qD-Z)fQHMAx|alJ@h zT0?7dsqvI}Z)Uoz$|G z;YM@qBOuw{|7?MeSnkJM^BYs7P4$)yXwasg$Q7zlx*;?M3x$pCJe)1JeqWkHcOAO@m}}n3vNdXdk~G zPEK4P@PVh=!l`ZyTZ8Y!ucckb($o}83r-MzO%q1TTK)vl`a-&4_T9>&?%424_Ga}b zOlLthDu<_<-Df%N%Y-$>?$)z~;7%F4-FD8JnX4;a9@QR_R;pVp{N-2^NJ#(qc1gEX zYd?5RY0n6ig9A5yM~k*FfDWe^c-Kto#(n)Vn0i(>fzV3OOcI3GDi&K(%pSS)32=n! z2O3O7`(eH*B5C7r4S9_F4#uh7T8ae}JPAN408sdmu?-^0y*;{agzfZ+1j;Cey?yEB69X=3>B}g{P6kc6+ z+P9W@v&r0Vm%RF@w3Mo~VzRAs9(d59B@1g%G_Lf06*KN^wvx}B>B$i!L+haA%iKB* zKKV1tC;M?sd7-GFLQ{Y?cRLe^x5O+1@YZH+Z{lYOuB_2nI7HT_x@cE&lGt})W33;e z&%wm0`hh2Pn!6QZroL@jnKUwHv8OXgYriVC;{90=C?JMz-ZN~SMLzbp_`9NxN(=9& z(S5{_e)K&%{(+*d5vrr16_!jSV5i}T~zvD^udUu+gLmwFQ9-N zbOpRQIcBhwVr+-=?M+jRzk=cV=F8M~U%wnUqg+71N{Ji6LTkV_xjY%_r{HOe@4NsbG@wEF26&{0sR!TAG?W%Ib#Z(+^qK>v z>?KT_F4qqPq0zTdsZCJQAOUR1KkW7=i03ECa#CJ%-M2Z^V2XOf2nPs?b`k)4tq*O) z@5rl*!Zlc-3P<#+c4mlrP8ABLDa~3)!waDeV`JdDds~SL$eFCW6(EgqbCLbD{UrCR zF5_RCNFC}G`VV2#L5mZ7=u5w~k!BBm2#qYFlHr5i6szX{r# zx1EJ;B{G1*B^6{}415rkD)U8=8f4Ww3AP| z5vL=U&9Tsnl!GyzzIqg-C+DYQivI}SEh@3n*F>C)S?Nka~t(`C2k!*Z2<_LE@W{*=94UKN4( zXQ&;W1T2@6$2|8XCbWS2+PC}~BaJ-GDhSyUSg$N>nQjci8iu}94U*e8YjTsSj}Knt zZuk(f4tt?)d45M;zVCZ0`|ko{x=4@Np*iAzz~=CF7UqF212K|FfBR}#hs22nw-_{b*Oy~i`qbAkOhM<&0<$D0t}n7aPXX}vj+G68^@inlU|!Wy2YE+gqMLW>*7CeidY z5Q4ice{I3l?Gc+`JJdSAW||GZjc33D`p z89^x>dV6A^W?4r@z`R^}JHzBx*79BKk|D0xMZkai_4>Gr(<*TiaAbXj?2||md2)@G z1{(;)Q@#Q_9HvSa4wDlStWR+z(xG+b*_t1tk4i$vt_nup=RUG~z?&SMXhp${8SFRC z6N~d}6nGd3;X!yZ6G%3NUYHMlu*Nm^kqBKB199ka07}4e~QcD2)V>j?lb3)F_#p1xWIwcIoX{+QCPK#RlJD z$sl5XGR~keKi?l!&jrk7_;0Szp*m~phHJ3tKy5>3R>eyI7KvJp^iBDclU`>h<9BeL zfoLC(va{77Kw=u=@PgjAl1Mprg|XN=yUE^^fPR)-rH444(xaf}S5=n4;a-WDnTh8( z2H%VI&9UZCy!1!nx`$kEv<>9|9%wpFtv0ssHLKf390wcF+!yaEBFU7_K_@Il%&cYe z{&I895%C&I1$HmYmf-I^4N$R9nge-dfPnF?^K-*-*vxh4h6lUfm3yBT$ECHnYeVfIRF`CXP-Gpd$sa& zlroE*jB}NibQtAqFNl3BWS#VDT~WMSWoI+VX*H9->6LMk>_*ixm$06_Hf?tSA@Q1E z=k#Z1eVX_l@uW{qtZFcQcj&C&4nJGoBu~&0P^BCL{g^wqlg%ID7O(G@T)7vl{{uGe z9rOLJ16(E*UjV-&q)JL!d$bGS@#LVg%52ik&(c&g&Y*BdTJ1N{O)bEw=U6|~7={M@ z08HkE!}Tsq-q;_9ZNFBRd{ied%F}|&g1KIhK0b$ao3)9VBfKhf^If(kYa;=_LG=WX(T;M_^K9p|U`1AslMj34dH9Us* zeTq09RXFJ;6*|`r(#UDX(qcUOW|81{qaZiG06RRnmbT&PXitdoZ@q7!>?d~_S0XR1 z_AP*hchmapGuUvIrX1g$*r=C1doR#P4M6_LJ>qnOSk(my%OP_d%13L{SS+_RXuBtA@fPK_ zD-gdv!VMey#Z20HalaEf80%PertKtK^jgF2nPu!gJE4(-6cbd?LJ0Na+Szu~l6?1e z&6I$AmEqmeKm|?MqEKJ9b|91+Aau{u(O&RHQBmZuR+$`-)^&>Cgx(O(vOd);%p84n z(*lUO$^O5-hVNYg#SGt?68P!+ZoQo`w%vs*x6P9EwSO&fRlA1~$J{g?vN@JPHrIy! zAU!tDX?9HUzO_fyRMu{~Y3y&@rQtZtGk^Z&Oo{_qT|Dq$pTD0Sd2m~ag$)#!PEU{6 zyo+EN`Z_x2tJ;d2^e}!Z*Ts2HvlbQkR2uMjl8<|I6Tt&!H6{-CCy!Dwg$ds+-K-u_ z0+}$x%!C;2hJq&%XOQX#-Wc|DI}+@dMYuV9!)ciKiUaPL(`5I68$fEUA#~gqmY7IQ zQ*nZ2ddg*|8o!7s4#k%7Iv8{D#7jztog0@rwpuJ88F%gyGg=I>8nOYw5}xl-<-`j+}?w!zexAB_`6t)+%OPLj$ z>V(4dDl;5U$Of0M=HpW+0&H;qg@}QpElC}+B)|J>2B>lW3+N3BYjT<+fBL(32Fy6~ z$pnvnLJ7GRPYO{w@h*D%nENV|pS}WtzV(5Ji#@i+ntp2ZoF`y0T+DNu?fU8+zWr(W zPMFIYgN`6fwac+ovKfv>-4a_BbjA*i4X&D+qv$Bn3{L&B;RXs0J9LftgT}9UpcRNS z*LNIwkcA}A!0tP8ytp2w{b~5$rr-rY|5K;{;EBfye8vNNbsXvQV6QA32QTVhKa2jk zs|?aX9Zs}Np9oQ*erB3r@0$WHKF4ymsXTK*)h?3Nrn<=3ng|$CMQtQ$>PR0Qai;oD zB3RM>*IfJpZswvCXNy`3wIN%7vw`sA*T4C=a+_P1F^P=nBz%V=10i0B(!mxxq!?)j zuu2covI*JANa}2o^kx9EsdQ%qxf~7+#?zq)Xf3|=AgTzF`iQ6n#tNC2l0bZZCAsX zgYCa;5dJ|i;;n#`Kd0&eQi~dpjt3;^?b4F;qi-qhe_5P7p1whVL&wZvyJA3fO@Y>| z4TO3ze4o*0MazbL99;_8_t-KQT=H3B13bW? zBY$ewkzhU``ObfOm{y?Hj=8M?$WTKC$#XY6oggD$;ks!{>DU%3GDKWz*-Si%-9Gpd z7K4%tsuq0(SHf%(p=Us#)I+vrt3lZbd%z(%R9#Aq=xrFGXwDW17htB!Qkj2~)jpJz zYSlf%6M*5?{}~?0Wnk#-J9u31qAwr^t0Aj>M{{8ktiQ<*06NfzIu)NmF`yXnFKSC= zE>3_EU$3AK-SO{O_O(r7a<#Gb;>G>XrA5DkHdZf?ek-3h=_d=2*H@bbKpBQU^bB~2 zp%-{jQ6zA_F#W*kg%&Y*3NieL1E@3)YH9-nGJxk8?MAlI$OquMU}!QW!tCH;r}Bm;C zEor@f(0{&DCv0kO+V{MvVLo9oGr@?mJAVYE1OJzNxd#vbAt7XyU}P~IJ{3#eQn7^` zjy-P)UwJ79;Gu7NbhmR-O)Mqg)ry~9Vg$g9p%imY})n|;bT{W2O_d-3w(<61Zf)~sS`9yk$aofe!h_Ej)oHiI7=2B9H+ zEN*TFN4^C;?Rxb~SL{1_*F$DM(O^noT%)mk-3l(_XW{nCLZ6;B`pv5;O|Y&!D}AtEmS1bU=p9qF{8u zCDVWlAJsbE*(J|z3TFhxMIYu`D;)yomKc&5(SfTwgzv^F+r>!+ad{_3N1Zlju|cnt z_5>E={zw>qf%)t5-Ik+hS_6GMCN~b3()<4Erab8tL+8c|%kvf0XGGGE;R^UQR_@KH z@&wM7z7Q=+fZ6Ll^55=FMH(NGDk)ob17&=m+nDAIZqELYZ^>$VFQ`yA%M((@b!(BQrbhM*Nr~G z-0vjcw~Ny=w_@M>S^JmoN1mw}FM-x>_rDXkG2b2k1KMFO_?wRDa1qqYRKGq1ceCyFI$=cg#B5fb!B6^}{Ij``kr8 z!$<5nr!{V!7OeRx-a^d#EJr*AI>|$?Hw9mG1k6fKX^~2<1BZc{@@lK;KpIdE_;;A) zJ+(`ryYpO*xqy)BWR}$`rROtYg=%-BMr||cMS~MS7RKgwq|+u^nz%aPv54yjQsK9O z?4y0A)V@~Z_R;HrEQ$h{&EPNqxWUxu9?7;rPl*GP`dN@P8tYWcTQR&eK+nqqP}vFa z_sRHUpxbnT$arRZ2{vN^eRN|=xIEqN8mwR5@&RDV%C(g>D-`2@0_Mg3qOVtgvDORZ zn(;Tlfk_>PUN8KQ{suB7_kbgj;r>alv;8kIJpLbaY4y1RMUaf+U*JeZmw*6gA2?9* z&j!kWlhdlsPn5rZQGa9(cU23x;lqDBIc@TRD*mA&(ix~VCIN6Iyfj}sW~1R4KutSz z`T@@XQdh2Gq0%!#DL~ci;amIGG=SI9H+J&EBX+*3_`_Z#mD}O`Q#>c$qmm(!A0d&^ zZQd5dW>dvs>2ZkIuv%IIP8iQaj#{jdgqC|W@HC8>EOFIF zf+-8q?uDB--cC-wgRzsnTeK{5tjyt&dhI$P! z#eIp5KE|M3Z9t54v?F`T;gBE|j5`MYs0C-l(s@BNF>+Aoeux}E=Wreou}&$7J`tsH z!1gympz0jQ#~K$$drJ_QrOIx*_Wr{TpuMADJo1&VBhUDU^||pLXvxk;HTJNbjV(Z+ z02WLfW@d}jnV^D)sk@*65|ZHXHx(&uI{9&OhdDvGH(G{wMrD@!n{NvIpvkYqV%X0f z>wd8HcuhjE6w>CoVZR8)Rd&^B z=K5@*H)F4WzluiUT;mAw&1a4#J$>)c;=OHIB`6h~Re)cBBI85S|&!8i4O@_8?q6~FmEUvXgqk#>9hFM z?>r=QRsvq7MZT2b=i=Gkt0lU;ioEbUpf}fWfP=zB5ur-!b3K4D2-eWMVlbd3DBwDRgHFdzLP*K>PJP3GMfq1ACOAz4xXa_aB~l$iIcKJ!K#`@hi^5H)JJ1ahysmc=eO~svY6-UUl!QFS<`hkY9dZ$;xTJ&&p$?m>?xy_K2(@uq@vs%zM z!^}n1(%*^lG;gQBVnJybDS(lG{(%J71eaJ9%mEVf^zjpGar#^ z0o3R4PJb?gak&r9BjeU*SxtYnL8YVRMQep$fh#<24#i_EwSo?O3l}GFw2u*)_eR20(=|pzMnXq^q2? zj~7qM1SnnklaRWZ{IGGCUGj|Tt$hK^nhx%rOzSM}@d05?g0{Y~%Z^R_0$So123Sae z3qTtbnj7)q1@p9W>z&YS;xpgSasVYoE-zVSy;3PJd(ix|&YbQW99l4t;*Hx2^JsX`$3XK+SY;_)-9 ze2qLr=ST=Q2*X2bOeD7tJ3hQZZ%bbO}kYRr!eB=XUDYdvW~aHXW@(e?2rC&4?|^#Yi>|H%0BzrO?8S7KChY!lBj zxEmG_zRZ-JC2*k-uQt|Cg{(1mL=HPrEx8?sHITmmrW>M_FA3=Rx-%z53hmo(apJ z=TGXki^nD6dkRf#Z@>V~XT{_?X?b>ERWv5+F5=S+lm9!mE$d?K4n=`Rx9(~LnV?LK z*AJbltJVpyOd_{)LcOQQna5}Axnkt-@!m1mYlS(G#>okp)VRQlJQv{&TGS7-$+N^61#kYqNjWJ223OyffkZ(xqNqa0Z;a|B`_A*7 zXGDe?<18t9qiMw4x75N>8X!KFJ5hQ^-!u}*144_#=9wfBSL`_H8&inx!Jkj9SXsHi zeTcDPuO)X^y@(5Rnahb<<0!&g0(|d+7QoI0WyAoC6lXrfa4&1P&4snDOJzW&pQ-HP zjS(R52xkr@uR;RXx|%Y%MYv}_^z23=DMLx9v64m8!E|+~jN}4qpxw-zyM+rMsL}W^ z*kvjEJ)7fL1AIG$KdokCc_TtseCMdHU7vzlxZPGyo^iwmuHj}w4L9de5buBZ4?I=; zWvA`#?=IjSkUn2^350Ci=x3uh`Xh}?ZxB9y_pHz*Bp}Hi#zzNgvX|SufZ*)ObF=Xq z(cFpa)i1ZYEFE*RhYv)PGh$A|x(lK#-Wm=h)usUrt%vc_bs0vh{tkq+=z>uzPJ-p$yrT1vOsGIGm+<$+Zvo~ftF;f70=Z-E4 z#RJ2y(+})s?>tgPN($&SbJ}Y8GSF9lks&ow=KVq!+&am#!<_}ht3{6$WN*=Fz-s_k zP9f(AkVyr?!2f<}#sAfKe;D2IDky0-ibw%m#Y*7ZDggi!pI##xoW_SBKGb+<0Fbi;N?jad#jIrT<-5xypecc8@O|u!SQ) zKkrRWAoxC%0GmG&(*rF?%P&W<^2U=%4oy$*zR)^oXX@o2D&qh8L~vBf8s7iM32+;^ zbapwN+Y3B@iRrMb7!=Il1@sNwufwD#u?1YUKENvHM39?OKmn!)z9M9gVh;orT5329 z*?IoLqFPO=*87nX7aPdlfx{3Gz6)|hfoVdQ@=GID>4^&m$4C0A+L?3Kr;+7rnhe ziFm3PJ2u2WlEe+!vZa@NM?_Xklr#k{`rTy=E~nEZ0l?k9 z*wUq(SkH9q9*kiawjb#P#0;XKD~DWy-3nk2y3~-uevG`gO=-5yk5J!_9sNIVeY=Xq-F$!Yxefk@Rw8|z|nY$_eBlEe1~j<-W+3$y!QWdOA%(}l}m<1=lq^PZ4fz}}zb zfpeDqAM%d~J)f+G5xnNBvMR`&Vht%x2Vc7*sP1F_vjqg?!B-Q> z5O+6ny01#rxtMtu5G=KM;~g5PZ(sJ+2>Um-)yg^L7MKQ*>eJr8dIUA7 z?~GZiqF_%unrfAZRU?DWLYzcLuN~IU){Wea?hTq%h3Nu7GbufL*(}=!`+Zlj@wYsf zW=q->u`6I$+vY;7%VNe!u!^i{Ec&Xj5C<$`U|G5 zy?6;B;_gV2?#baIA&cVqM6JEIUer;`2j;f$`&oS?#3w~^q+Qfzwbq2phP-Hs9UnDJ zD7rup2dHTI4tdJSl0U3W9U8qQ(t0Z1@}1p#&-$6MzZS+&4ek1B;8|4yu|vZLXrrim z6$`a!D0XL*%==K;A4~Rk)J_+D)T4+uUki3K^EK7TnZbK1gX`qT6+z^^#cF*1r_nkE zQc4?-#2z|^KoCwBG^G&7I_s!7e*Ijipr7vEo`5wfl?%m(i8g4wF-NVgO0s9JjOC+3**G?2lave<20uq z<)_bw+rBfGY3Z%iRe20aeITU5tsBf6FQI%eH81J4@p1;{c=pH`iPA15xcU9r zbbZZ5J4UB*y{i3mgZiT1I2zIk9=_dBLfzx2US#kKop$fqV^!5_PDhHq8DvJTVs@Hc zm(#e^sp-(bhrXPVwn2M{Eax{kE2`@9i*z1XP#4?qHDoj*pn;={r$zvGNA6(qEBc<` z`$cq&GX^L+%4+(Cy|@VCm8C;=*`j%_D^IP+HqP9eT&*}}xZN4@zQJwFlb`I~_;uiW zmCS|K^lW%brNZhsB*FJtls!49+(JT#K)Abe3G3_CL1Q(PbB{Xou9`QARWTOfZbhtw zHZq6Lo}X20AD)l#_K7A|MSQIGV{mRIR?p-~CC9zPlwXt$-O^&)`f5Fk8-W|Y` z{dWjOd47#aY%o>mz55M3#44OY3Mw9g&EgA+x!T}n9eD5k%#$`^TUEN2HwyhYE4W^L z1;WocF2|A{iT2yt8iB)n-lIOkeLUJ_wZN9NuP^csq~UI}o*H{gJ=#bBejirsTg^g! zIDT-qB5hMUXwsqBSoW96L(v8wPxp7oJ%r+pxX{FOLmT8FG+XWQ!PK&D=K^Y(?5X|98*PjxB%jAf=h4vsiL%TDu9g1qszca6i?X_j`{z zO_=4Kp+ulPQ*H*mEQ^|{k_P|T-+p?bzKbDPiB7?=;f(+(1XRuX;I*TRzivj`$g=Ya z^Gf2M>o0mj^G1~h`JUPfuIXM#8xEg%l=!5lwIx%2CFeW8kt*)P7t{-}%+=QQyrL^Z zpFnC6t03oo3+f>Qjqa7plZe6+9(GIn?^#;Be2j@&nDct zx50k>c$uqwsm@Hl1l|s~YwX2e+>3mylw>t&;cs+Tx@j#B8OD*rgLWhyi7KU?I~85C z-=tWOv}~wBD^wl|!|n}#r&h#*8ux5v=0w)|I&K{hsYYDn-?>6Q-W zo%h!HkR;V`~-8e@Gam)(XhbTcGgJKo?;}qsa()Yf9_w%}cuh;MXKF>3MeLlJ7n(I2x<2=sec)#DrafT3=SFHnD$rFU7 z3_VdU%<>vSH`4m-aoIY~wpG`$pI=l(P@Wztr@UWr#Uhn5(|2sonFPjeW~}c}I)?md zZPzFhXsrNPmOE6Q@PPa0^=8{Qr{X3=hYsepWtAebYaY3L7!zbYS1)6vT-_(zv|Bsm zoc%IjaK1NFWWYfFW!^@-^@j;rJI`?ocOiXV^^JnVEpMrwMlN# zS(W;+9y)iMs2fRsJYpL&u80nU}Q!n-DEg$x=>}np38l5 zy26-}oh6!??nle3k&HRnLVP`fyc>j?8SC{6!XYGJA?bNgBpv<%KRGhl#cSi`A=v!I zTDVo>P;zuYT~w51xbltQ)y$fg*cxgek*n^0*$Kd3?c0u0};IW8Bn8GwjXoL-(*ZCKgI{r@Y#iZ9kyIN?noBqjn>rZ)V5l zTHLi&JFfg8zqX^%X{+(W=gA7Ri~~I$R&7CZBP%6s@?P1$xzn)YTnqe_0Uma2qEhAXYxBmWvl6=Xa_*(?ekc{& z@kEQXTyOZyJyrs6?KSBn@h}O(`k*TbRwxvv7O?{u1HQhu4YXY zoXq=5;|iq3kHd$?udPd34OwjmO^%{WoV5csN6*t#I!_>v?SmakV1^RI+|6V1T!L2o zA@i}Ce!oZ0IxBOc3Ruau_32yZHGc$6k~2z^`Q5y<(I=)|c{R&sYxP6?N#pR+gflUX zMV=Jx=gt)sMzKMRa+-`HVvk~%<{m=~IQ>+R-jaMyawrM#=Rg@}7tNPBU z=Nz0lmODMZpS1IBUdA%eXC}ahVAZiZ;v0k-q8@=g4~HJ>T&?XB6Xb%;f#TGE;)+t2 z3U8iKemzy5!~PmmVO!&(-?c)F|FRzT(R!s4sk9G!(!jb~vE2M0>M)ye2X1-)?-}WI zsT@~^AA!N>f}U5{z&{nKm8Tyz`2)yu@orTA~%|bt)mJwk(J*=^J@J{XG!A04{G>0ySle6nZ5CM8yA}s zef?H71OgCws-l*b<5IiL+b_=7dp0TtsNu~rWM3RzPr8q~j#Fq#r>-175$n3SeNdYr zq-8II79JVC;q5E(8Gn$$*Vueyr%Oruk}uZVV>yCJ2?VjVmV73@A_Knjyh7aQ2NEh?*F>t*+{Q`?;&PP#`85rRDqC^+2Ca=^AYa;fT9hmfBQ-U0K=s zN1lt5D_s^11Vd6udu37FpCYLkC9?27s!-FXA7Tapo5BZSeKk-<1$%yXDB^g1zFyLq z`+Tq6$o^!tV&kBFu;+VJ-h*RxLAz_iOG@yL#~rj_2x;1rws1fE zr7BzQQ0|v&7Jb!8>jPOygb<{~0KN|?wP3(Ir5Y&WRsa=v|6;k)@Tq>4bhXmO<_z)E zoxSHJ9tX^2lHUQl+)JIBPY)875-Y}glca~wBvX528ADq1AX*xH{--(Bf}jDl@F}2Ym_fq=;XjfmNjwo=H$a zYU&IOsB9qC6>@CBfJ^>1E!s2Q}a=nTzUb{`XBAk-w$nrLwNCx~eU zWw@EJtm41PZ8l@z8kcn@C*6-#P@%8%3?+m9V#AbJ19S+TZhLUeE2!B=yjaHV5o_|J zZG4)qY9@?yuS=*t=S5U|u8!o|TM49hHMsuv9>BK$(PZ}G=<#__VXAir$7{*ll6eOL z0$>4y&@g}>^7=*QqxY~O_CuwVVEYZ}sh#^eq`Vpent_cEe$x;d%yy5_(qU{&O0mM< zJEi0Rnv)gCE^Fo{X!@WY>wy*p7kZL0drCd?*Icmh{ZI~kcpqDc_116G0(-!}gA6-2 zUhG$14$%#e)pAFU5-ha+<z(tbr|$2 zxLgwWz!GTIAOC&6hnw~E)~ZPY0d&HU8iJf;(5U_CA4r-GzjZ4j2&D^s_75&!e{dFH{+C%YJflkeq{OX$ zzx!1@_9i7Jh)pnH!U2NR$2T&TRb0fMdcfgJes0t+rUaMXOrSs5~bgHIS%)Y_^p8pcuir05T z0Za!^)B_;%{yquh4~Ewkhh=Ll!p5Lx8-U+WdC`5|wJUUq>C5#4BW$-c)zfwCO!jT& z8~v+^PdRFtcn&S+kF=8;hk7t$==^zJ03oeC(b{8?U5(FF?K!Gyr2ZB*zzQO*b= zu>T8`N^xKnK0c)Y4D?!r2d5dUegTCwLcjR|Qs@QMw(EGh7lsY9DQiAS9|uO@1&ZvA z^16j!vDk}9CnGs={%P+6OVYAd#WE4hYfKf_SA_PhG4;&Kc5&4h$JhkPQTfJup0CY2 zF;?qjnz&V{`MiIj%n)Luvj@?`*&d@BS6Yt>0Jn%*qUMV-vps&v^x@-mW!BHLD8Mos z5=k4fSG|-)zpXNr*kvnaDrEX^+sKwit^Z2dcG|;&_4D12%SU4R6TFIGRq74%oG>XmG*5x z*nN?0#L{tm@CBA)N@Q1k(;7$D_@&-y0A6p6Z;3W-&T8)&VI zy1O5)HzmIqb3GwEUf%icb9XQ48xFN5A3)2^%S2W4T=jR6&uw+g7&MM!Z-HySK?URA zttiZHvE^z`p}o4p9fgm&6|;18Q)}6;;cM2P*5_j)#X=#ynZCO!dG;I_ zsOw5f?uvnB(xvWZF!WawT2h2qA$8y*-;yxHl7Y#oK{Wj%!2K8aQk6>S0q8DGx+=!`GNoV z+vfQ2g{`=o_QakpIZ;x3osqd1Hs~R6nJ#;-E$b3KRBQC?JC@P_sVWyt`hw*hcf`e# zub$T*H_Yt-FZw$P)JVa&4Q)ezT(MRb7XRvETDSR0Y5UO3cMg@(U0P3p|7h-Id(!Wr z%Qb=wu)}|~j(tuIgq_QO!aSU&jk*SBcv3hTg~ociGkk4@DH-!;Kn3f$za*1WC$nbm zE>SM$*-H9%x9&A8X7K$fhiK63ksz)D`R@QNRU2%=5haLu-rLFlcegues{V6K{*9Yt zB@XHFC!^g*zsNAa`iOgm0#NpUw+DH%;G@wdrFw5oJT(=(OXFT?#S^Ca^xCsQSu|&- z{wlHh%E{0xM5AApX`EJDz#C`z?(JYlucDJ|MuQGar5|Y#qF4oVjjec4=k%eXQ-}tK zDI74tY*&LR_`2fZcx~NwM+H9lddRD-@&HU7x2KZj4Xu;@K1hM1aE44)JO~tx@EZEt zo^A7HD<8=8Z<$;1hYNlMjqbB>d$B}-de~I|(VUHU1*3ST=8=*BIe5cPxC3a4sjjwn zPeN8L3o1W+N_^b6rWPudA?!&4)mg>Dr>;PkVfOUVgiu>13DER+LEt5jxjkr(NH{63 zwEan($4B^3X*(-l<|zlATU&9OIrC(B(SsZ2^F>6wZu>2$J?u&C$TJmix}_=4o7}F; zn+&U)eZdDGsL)%})+-%NKy0H@2L@6{9FVt?;Dg16YEFjx{sqHR&+Wr4Pr~(#H~3nJ z^{Q~tW@hZ`fxbcG3DW&KGG1&jUKE`%AGqxF+zcY-!d9GH>MRHc1p z^1a&9v3VbP+H+nA6jAspADizBxdaWLy4owNhCA-2slBwF*Tok&vPyYX1N=Bc>DZ_e zu9<&PL4B;8lK11<`IRoE<0DQoXO(I&@s}i~;4tq~5?yuwBR02NHg@eX%S;mo1e897 zG`HUWeIVP}Im_Fh42g^ti%BapgzhA9U8%1 zerBg>I#hUZG+Jr!cf?1~`3LT+7)V&Z{H9@jVvX=EMr9al7t0q9I%!>pc5Y!}k%0SW zRnI5$2H-+h^qs>;#F}d5SdiBzN@*?Om+{#JPNz+&)FX?j!3gVZ zg=-`_t&|Js&3hrMSO1BA(lWC&t46mnP+Y6raGgX#W)WoV+RHD1X#GOiu;&u#v}-GI zE}GtOo>UgJ^uX@APR8QCqpi;=2jhW5{o74}``a4r+jr3S)Pf>kQT~s4cnnjUB(1ZU zu+nZB-!U6RgQ*wnWg)N3@XxmvKcm#{1tGRO96v2$b+1e*?%sx}X;M9R}6e0VL0 z6Gq2-M^W?Y2jPnCI z+NeRd&vzaSjd%UUtS?P{mjAw#IfT9xU1Ple*CScHKs=rkt3Y}T)ORd{M{xHoj>OK| zUWa4JAIwK`-RBxV$MPl9$S8^4U-TjjvZ}6|KH=kEM`jTtl9gu^Y*X7jPISD_Or$HW zwJ&W7>~x-7bwf6KXo$tn)V@M_kJZL)k2}7?bJ}$iIT+xpwJQtCKEvfm>$tU@t{_aU z6INR{F^K9qjJ4cdo7mcYDK?9Eh}$^Q6%buRq(FS(y-lk1hOig^lt%o9eN98-cl)TT{@QO&#?RnLE9YImO)# z={bRM;o0QR$9f$|V{4wDwtrpID1GA<+UgD8nIEt1UeSJ)tyOx8*7(yuOI99168LmUw>`JX0H@2R7XnUmj|A8m@On!2y zohfTo^nmM#iqunj^Y~pnFYc;FVZV51MiE((qHr(oOJ2Z4k)!cv-mU;p|gNWQS+jIvq5vN%p;q`&;C zVHBW=J!96q!h?G)H`^mtSbyrQ<`YB~4x7@syRuNvk!j~~xDBVvYe#F0DbonaC`~kJ z#2(#V1_~#70mPpOe!6cH=tFQ*RbTi@Vq7ka9cOv?F+hoQ4!ha;`(qxTDaXoZv6Wzh z)VrGx8snnGui7?LO>bYx^fRdXb35#dp1j)ln$P3so!rDqPZ6U`uJI=~{L<=o#M}#* zCp3+|VQX^K=##snt8+)&1%?;d4ha}A2X&n2H7~<>8Fp|L<>I3b+5FPX&53FCKNpTE z=^*A-V;j~-y+SBJNf}3t&!oO^!v1}{+R2N7Sc(y-aN#+H3D;H+ zS%@A>p2yoYRXupS+-O(d#^=e#k9_Z4ZhR^@t@JU`q$u}ehnL~w5i4$mwaS?BIBm5W zs%wWvBxPU6pmQC@L@6;=6ypP**>}@QBfTc2Kn0_pgUR?F%WXwniOjTdY&TjVQ$HhB z?U5lWyq&(Hq12!gOJs>tCnSIHu8gq2nwztrGWzg0Of2|}ezvodgcbq*EMNTRrP=!; zX0}6v#`*^x0pZl)QXaG_Saa{orW2DSpm93g!JTPZwxumm9lspWT<0gD_)nCxwPf|tMe(xO9pUQ) zn^<#A4Ceao+FYCsC%KBt`@cR{5|bVVtdc^M-92PI@=H1T&(nT^-LHcpm9^2SmoHFr z+12N3#?~vUBjrkcj*9x02UP#=oqK^rj7LcGnyvHL0Bj^OezaD>q<>P_jjhSYQJ`(M zZkq2-otI6PAHQeY(%jwgL%B*;o?}hT3j0Xg*Vbotok~bJ>g|o+n%aKJ!MYn%SDdFp zoenuA(QCKfV8x%`H867ZsiJ}RQDB05!E5N5keI^X6PB6Qp!3XuqBc%ewg;N)sWok{ zqzJip5J^oNSfYJRy()bj!C-5pk=g~nr1=Gr#XsWO{$!&`OUN#;P5R~(kD!-o`1ZG@ zwR6?yOt*>72QVtF=dD5_ zh;=0NdELzvqC9Ilbql23QjefE5Z8yG)o(nSUW0jcVJx52a~;XFJGnKg_Cw^@VKz#8 z$#1hWz8*^A=gf#@?w7hJieu$I^+q1Mv~Mx#i;RHX#N&=*;?kq+cPU$abkkI zjEXxGW<(ifxSE7l7*hz|+qungXhfxK_KdE!MRHAC1kNFlb#wbHUy$$2*T}|YRsuT0 zlaQXWv>CTWI}~zN;~)gz+OSdn#My>3DMYnwo)k!*%)O^PbO`0?c16tje1FEw!=w*N zag0smQazO^Zrjv;_K$gmPw|{QjE{xbac!4gX5V+>S2Vv08gOmMh()f~S4S$xm4q7augGH^Y?=DOuc8#%K(FmJTd^c=lU09-a10}P?S^pBDzT;lX$8oGLnpx2 zeD^6^kAZ zX2E}(-{s7=m^r)q)aP5nu5H{_o=ahusSR4>Xu*9wl&?xDNoBG>Tr6{aHoNbu^>)p& zx{Qs}15B2e<6)PtO>gg`=ewZ9>YP!Y@OB+#TMVu4iOuP40c@q8#L>&2k8xef%~TRL z7ZtEWbbBBoF>klGxdc6%kb$;+`-5nViZ!(}yNbW(ayAf}nT`ht#GtBL5~V=ad^~K1 zEmYGeIIsgRr(6~dBCy_e|16w)!-$#mq+)M{Qh)X#825cBAi4XLaaoMd#=$Wm`O3zQ zgo*ozZm(aj;DJ}t;Y^pJ8q<|5wtqhtFbLaVWSPS=b0~e3nZ01PCCeJ^Z5 zwmz#W>9s=IX)I6HuXDJsfix+w^_0q4)EaZJR;uzOFL6B`I zP%kAVwHo~PTGS~Rcd>RTK>7(^xqMc19qBbeABZ0AoSXBxnKD=SsNq5t9Ua;{zI}gK z1ynAkQ$4tjkp`wU58vU!Jh{2GOYj7xk`JEj^+Qxy19{G1ca%|2HC8rH=T_vk= z^w1BOY0+`&<FPHmC%?LyB4tXEpcNGIewjdAylH30sI{@GLw~;XLo&PC^ z2`;_8_ywr5rI=(f$SdM?KK5ockIf$gB<+Zyx!j62j@QTT)axbD=-bhWx;i>0m;c&P z^MiktukQ_`MRhTI=g~XSiP|T6x8HsJdW`F&aiDupN-%D>R|Y1v043TXSM9q<>G5~B z-$GdC?Q`R2->=&5wuQIJU(OpH=?487pGWXdLG{nfvy)ZVg%mLvq2g$S-}&bql0x2}w2rZ`wh zoj+m-0JppZKKMQACkO)E-h)vEUAw~5*(Hl3YH=U*qqjM94pCIVch_E%RN8Xk&{!SY{lIE(&*dfhU+zKe!Gg!nrU02GS< zRWg?Fg0Sn8n&{e@;Etw+yQG#`y|zOyIaUy7{U^d^L2rS*4j>942NTgFr*4#D;t!4p zUi%|SC!h=5y4Nqh%JBX5ZVA3i#^Y4f>aG2THL)FzsiieADHwH;XfsroH8$=EMyKkIDT0#WE_N6ybTecc4al$L57b<%j(%b zv6jZ{2kY$;vj{M&xf1h6S(dV>8aZ5PKsCDs>NW=L>HnC755M>@rgQmNi?=e8H124R zv!<@r*rO6BDfhjpet<@*6pLt@@fRjWDvcN={wzYyR=Xq3E4*#%%XB#dCCAfVEckEv zH3%^5MB++N+Z?g8Rg!96)00yOM*zJSLJJr+-NrRO`A;@gYf>n19#p&%{o9CazB2?5GQ@HWl*!j-;s!?(e(Y>>J#7pCPDpjs0 z-MD137b6xvuTd6zOx!%XF0iZJ()6y?_&A``&h`rN2u{5oZ6eDYUr zA#_K5h@gAIl)b5FmVaF1;C9{c_|dOcgC_>d$@vR07d9U`-5W1bGRvAfbB>j93CkzA zLxHE3C!F_e+F>*`@~?cv0LH-(ay!>26ON!(xsGe1R(lO~HJ#sSjHtfTF&p(;+;D0m z{<3HAGqlrOejoF&_=}e{RtDQc%vd5Y19t0%k=k3OQimYR~=wNN^dg zeQ(N5J5WEpT|G3VFWj^+_OfC_&erTD`e55tg#r$Bfv5;^EM|OYmB;{FNJ|7(4nF4up}&F8 zU(b6eKI!tMN{H^^>6L{^-QRN}SM56q9;4JfvPSY7?u4(~ts{AQkmvi$>l*^7K0mB% zb`ZeE#@E(m3*+GWfXoM}XyByfREd5r({-Tn_+5U5L@ln%HL+=LR?i~H1| zRoXcBBf{GWcvoiFlse?wMD*bP`?9dm0|jVNu24Cv0r(5}Jt3SbHKBQY7qX!+Mrvr-U3W!SjmM0B%8Q12VB=zL2sZTgV<*gK}o+_!z zrm3nj!2XN`(&sA)&aw6_#8>^2cY-&fO~1K^s6vg-7KAopC$!>^QMOSfy&~QaX_u$skFuVk-u6m>S@{r&xvUSNjvxzi{wZ~u-^7gim;<_fF@;3 z$Sp26+B<^*MvBmagj@fnss;*x!RIgadcFHq|M$Y!OiY<5!@uIr2d_>_lkA5(#FY@K zz*P72PT>0g^C(KH^)j1Z zV7LFu;u@!R8yR+(Age*{F^2ywUAW$-&#_!iF5xl%&maE3Li>b&0ddZM-ZDH3*l+h* zCKuQb4?h1+o@4KS|VQ7b(#WzTgLG($}s zUX345?NyQsg4VDQNUs3?zz4l&{>HExT#5zhh*FZ4?MY8qYCo)ZSQm-|_rhDmis&MV zbwz9B;uSHllXyX4Ue@Wc3}p&cbTCaa@~CRJL;;}DNI-HQuuHl2IJeKbpPA@|9=j@ z*L{Em1sHa1gAU2*JOhBi9|SS6eGN$qQm*~At-j}wN1acvI?K`$wg2#3V)f&qT%0&*P|q(OjmPc7{|lq7+iEG-kn{@PKWEt6j~RYorD zcc_s|PA@vAzkUqY1&d$|xU{=yG1?;V=#o~DdmzA{cr zTh=RaalGg4;y*PZ<$O)9y+ORIp@P#f){b6=?AwdVN_Hkml{;cRqpG&GxnjBYcK-mk zY;`4JEB=pO@#|U9QPtTbE{M3c>a%b?$kB0p{IzSFUxl~b1c>YsV)5lW;qxwO9#%6J zZT|h>Se1~qdr;J+ayE1Uq|1fVz7qSexV2hk7XR;|T?zJA-NB&Qf7nRaLfH#?P09%u z#WdNwavs+_#&-hL$G^cEVIdMYp+w2{zOW%eYW!wXBZ#%qN-__2g1vhc*BR$lYHaOp ziWFn1##4u*5vH}Tz|(kj4mjFRlEaXYJ@lWW}kUfC|O;gGArST zOyLO(o2};QCj0N7FWYM`li04IkTvJw%0SO>F~q7SU>QLz7dls3qG&CJZCcr~F!a{k z^5$>WoC^G-<@-?3+v*RW9g4_>)6Ac2SXsQ-XGMvZHRVa9Q1dA?bt?VmFH}+Ub;C5S zjzm4!7|GAYSeXB6kc&(^2WnQenhkrpJZD3d8$1aKT=?7U5H*Ls`nO!5%7w{I!z5CZG)ZZqR#!l{N7l9X3 zsuwEFV{^QN^#%E-1IM?l%dP2ak4EnuXCP+piVfCfx+*;?#fkIyu30*MXXpSpk0m7J z0OmT3(m%mhayv4DR34mq)?uM$>3Mta`b(-5no+ zVG5W7R!Ccu_42aSz*w#j$qrYvG@1Sxj$*CgA7?w$vFs7`MqcFI>&L6x7wVP7L>dnJ ztF0BMcZLSp1cY_4sdg;)$DG~fD%DuXF!2-64%^jd$k~7{pxO1mk`7Z4c>I|%sL!L(V`D{0E3})}fu8g$X zZ8w}8=0~%IIjSJ#*B-k*E2q^CS+YrJt~c$3%Z`e}S3|X2$HKdJXU>ndruGw+uB{{$ z%ap3)UUS0_?35wG7RnF@$o|2&?Hg^o+4ivyjW8Y!RUCfp&Vs4jo*N{utr|>1di@Il zvX;-lC(3YrAR+^oH!3&Rq8E3ub=F%7+^rknY;3ZJ`K}(%pl=hQ z;^Og4kL^~%OPrD}_fg^F911u4_*A|Mg@HwIv1nUjdjW(W2Aswn8pvdwxboYJ`Ch&7 zN1Cbcl}{ht;?T4&)ySX709u9;NwR#sfVTbfF)=I0-k&H%8PA#rs5WvOZ+5e~%U6wRdL^aI=OOG7EVmuMm2*lws zx3Ec&Miy4zb4pQaWG@7zow~6eH*W=J8H<7R?zH6S)-sp1w$u%(?QZU6Iym{eLD(^8 zBy&6R0O2!J6Vj84bRYu9yY5SE!+~QOM$SHX@RjOWR59*Lw8%L0y!eln@b8#6ie`m3 z?0pR3ny&(Z-##)%8*Q8haxZNtdi7am!K09(RLV1J;-V_UX)d}NVFrhg>>+ROGKUv( z(PgOd|2%;OSQ@GY&mv2Y1=h?ai~8p9lu{B2>5^1uQrCFzPqQ4DmxiIgCj6~80BoQH zvXN8JuTmVyx&O)m7mR!{1pGzHeDfJ5k~3``u>2ZgW!hGCdsYDWEl%(wCDo86Q6a|eKKD`X99 zr+pu39ccp0Ncb(Fx4J1Z_7fI_&5!UN4br}-Os)uz*%zrY4JP zsr)*GhTytI?4oyGjGoM-sx(7m>1TF?^;7g~0x`H++0uW256Zjlfml7F<@`4s$Xznf z!E^3EAb6M1`SZ>LKw#A?-eCmxx)X^X$+=ReD&!cZW3K%g$W`;DeeOQ#e z(|g-~tGnHD5vfae+ujNOj4-Jpg0rIDLjWA_yL=ig(Vc#wpS;$zh!trC;9!UZn5`$b zwEKShZeD=G?<}ZK8}B=72|DoxM*kq#GGXbU16&}(p^@1aCpv0hM$GvX1r#ukdV0rh{{VUm4vsK z-&6rcjyD_10m{E)KmhkX4!p`hgpVk$X@%l7x8vbz6)Pu7-^On_Ezi3SkJu*LS;?w4 zE_uflmG%TK1IZaBCN<%q_`O5f*cV3N$)DT>=6oAF!J0NKLW!9oXN+f8{iL~?&ommb z%H@G~zu+9dS;vv*P})Jl2CWz0W};D{F+8jb*2qVm0u265yMIbs#J*S5dmvayH? znPs}AOVCroduG#f&`cfHg??i8Rbs5R45m)){V`>-hXrQCw0;~Pz&&G`*C$OEuxC4O!yuYR$m`ubSB~CP5PTIW%|cAA0IaiSX1DrQE+Ic`g!F>H%x1yCh~FM5_2hn`pM_-$=XMu z5wQU?#0+-1Xj&0mBjpFZcr=(Rljlnx^R#b?%KJzjP^ zmYy^UiFHw?YlGj!_z#CIIqOku8<&7zg>gfP==%Y_d!L3LG%( z5Y&7whm*r@5>75B^bKg1C!Eu4dTOEg_}f=GoLYsyIq8p3Y#y4v2MEFbfGF+3tyft} zZs5DkeH#P7vejdqN6SR(V}ITRXqx~~lyI|yrJAt>1ZyICN*CZ(Y95BdNx##pT_%z< zN+;AvvpUSA0X#_l`DwKFN}HZ-0&sQlSU5YO3PLr|7Jor<+FIPoYb@WybVUs{&YtQv?hMzQc$EqAh%aPog?aSZ{{%l^2(~?xK z5sePmT|aQxl87O>kJ9Nc2PF~Sb?b41gCNIe-|JSSzQ`-P@rocCOr7`I^eNfyy1ysZZHow9SQ0*s8qYUunJ@L5N4X15c z8FrOrKyUQyTOS>1I8T;gJ?sip>Ny~Z(}6^<)TQ}%%MPF9(|uh4#04Dnx#;{I1YK13 zHkQ7~yxJtNs>>fVRj@Q$yd-D#(QqIB=U|LW#frHE!qSJ_fl_(jWW@Y!`YxJQJ3Q*z zNhn)f8pmWnTu~op>1GXWGs~X5c0e5$88zt<#S-Jeuz5$|eu7bG$C155cCwCVFOg-U zFref?BUW|Y%Pe47a!?P6lvv(Hzh!E{JQ)ikBt%)IR%!oiq{oSxgszX|>d6P0$SR;Y z<1uUq%{C%P5w*PSDz80w@BaMtyQn&+ls39q`CvyvvUs@aLb zcue_E903TxA8RPRfAp4pQH_{jmGbG*wRKeRI^!_bAeS$B(qvSP zw;LtK;0NULz}$e=wl5>xlmkGrzrW0n9#BWgFpH>5MlPWi==F#m_uIs{_QZx2-^Cp2 zWj(!0)hjqXy?oW!pAsWmn{)5Ws0+-rj^H4(Z3?B6mKf;mU8U(~9fccq9Z?16AAluz z#_}mTb>I^~MeVbdIilggzS&{7L%mF6OsYqjRj%w{t*NSyeXRZTh1}4&~odX z>;I#dlPQVI%yhcB- zbjb-Yo}efrsE)*n%v9a1$;&n6LV{!W4j=TE6iDdd+oz5K!6YFxfAZBoXh7&eB^B`! zl%w>WTFjO?jGw{Fn>UD8y@RG&;Y+8Q9-Mqa+9A;NdT-gw01(}2GWpJcxQSYtt|Bh! zvaOdIwHtW2kb8amfoa}Yj)M%sldCD`{j_he;%xRvb@I+8Snpj!iD3OLRwCT%oX;w41 z;r!Oi6KeNOf&w@FNrwCPTLa+T!1rR)huZP!wYwew7Wf1pZCUZg-7?)$jt{%>?sY2l z;*I{UprnEbHbCyn*?(?L(mvUDtUVTc*ThNgAtO4HZod9Ce~9}lRCc7!hL`G(JA?ezAm3_xf_IL5`B4;(ikXr~Xxs zp)TKgAPpRABlQLVeOAn7dfoiKA_rpE;r&&y4}lakow|53BBpJw5pbjQEI~i`bd4tq ztdG3+7@9iD*`%-B>cp1`d}NW=JRV`3=bD@4$b;^WIYKpYi%bulnUVF_2Ov~hWrr#@ zpnjyV!whZ5ltX_rJ&XeNALPDDu23w;D~URv9HjE!fTUBT^dvY-8Y`$7HL ze$OS*j=3I5tsZ*$Xl;(QcCxCRYs&4lzPsx`_Y*honFgS1= zpGlYR$G2-MPt@jMC=2r)g^e^GKu|((>#*LXSZ3JuC>Y3Z7ExN~JV7;G$z2dfgn4b& z8kA4LZ?MLQUuaAf`#}7thER0&F3-8Ea`Z`lHc4^pO)+psiskHnNIHvXu7TS6(q-H3 zFQ7t)pPXo&$B3leFblwsb!t@i?5SL2Fw$2Tn(u-LD$5*5hti%n+^JLqd)u(jS+-ui z44;Q7ms~AQdEA)%HTP<1Q}YDBW;1$VzFJfTKj&#G7P26!dUro=W&`$oFkwrnqM93s zKZ*}vWCoJyf2x?X^7!a4OMkfO1YZ#k+E{@PLWrd?Grv5H`ya3}yt;rb3A@XSBd(^spTcENH>%PX1|x+W%swk3QaI7aD~hGF1^91r*HwW(jIj_XZ- zw*Ytd!-pL>Y!&5xKMrlZo;b*^9{kGZoCli(P4(Wvqw1rJ3?NBO51cF-AR_A&`)eFB zu-~qmP-dQ4=Rr|q1|XcasvPC2KP5JtwQn?D%mA?az3;^vqd}&ZfjS{KgBE%DGrKxa zS1~mUP)HmQMt^TM2a+*?_HiL@QL01zk+Zve7haNXSE@y@u<}koF>4dy8F>KOVuLwC z1X7rgj@F*G!dX{TkND_2B@=0f7WAa)>Xp|`YaToQ0otjMO|Yu^T>BX*lvrIo42h!0 z5pW)?7>euv4T)l z%lau3T?O`(!-xJ}cx|_J1f`|vG~6$gjUz%4*S9-E>M#rPg7=qfl{d~#$l6dzY(jCap$)9 z49BrTp*R$VmzxKZ2I|+`h+7^VG2Lzk7)s~mts#@#$zv^#qyt?VC|eN16!A>_+iVpp z4Zf|=B$U^U&`Bj`x*)21@Ok_})gw*U(N(KIElt%kRXzuH%+@o)4!c4xVi7hqf}zvA zz6YD8AV^eEc1wJ?yxy(Mo%UK&4Hc?rq2CCYc$ExL)n};ovyJJfo5SFzi!f`i)y@_F z;P5Fn2mU_#$f>6pbj;*e>puT{D?c|q)?;_#r5cWaPN&P#O7(%=B$q zy&V8!s`Z;Hphck+1k4oK+IH7iP|U>jkDdX^W_j0n5w=xde6QI%ppY_UZs56KGhg{j zs)GHYM3aq9A&-oU`pe{?0%0@I{YMUd5$5i^origkX8m-GBH0A@NqvmYKN@=*(}31c zj`?SGdrU)_K9NC)GY^i>2&}B4wv_>JTvx%@)>x&9fD6uO6qxkuZS~Ur{@Z1|isLLT zzudwF*%;*IO-|RZ@A)o9j@}wCx{oN_9bNLnR|^1ssfz0Y27h1vSJW2kr?0vm<{s8X zI^Gnrb==WX3i@3vv2i40A~#4|v%}J5iw)E#Y*bM!1Qsa2VhVPOp1Jb)t`;4NeTi>UZ@323KTp_L0Ks!VP+qx;&8KcwsGq zA1_D6-Ae%loL;*_I-_L&Hz%L%%pB|)-Gme-Mz63}*S&GOdAHRm<3oNwJ>p@6w-+zQ z$X)Pk^1Cg31Jsb|7^X|^td|%6xeWwAPJlr$_1@}c5iu$1H38Z{GfMnCkaY|q$mT$Q zRyotV1(L_f1WpSd>+19s?tjQpBetm?)?79^f2frEw&NRC7m<%>ofiqnjg6>sIVrX& zPV<)5OCHMjUWmuV(wYtqZZ;t1G?7R8>w~338#G&KghZdYIUC3-GB2TbA`Zv)!5W7M(tDQ36cq#d71ec31`V_0-J8a(vYQ(S~ zKcY(SZ&~viApW2B&O559uif*(1_+9X3QAKHP!K699Res~1q(%_3eua1)X+o}X+fol z(osQruL%JWA|0d?NGMVRgqi>$;qHUK_s%Ud>&|=E-1V-Rx#u63oSeSPv-k7;ezxI; zU4h{-|2}(+^lErJ-A+&Ou2RgbG6h-Wmh`x1n47|@AsB`%P}1qLQzQ@ID~;B^xZ{m@ zac`O`g4-{0PFXi{`u5I{+KOJSaM*6o1#VTnqt4Z3PBA3IQI{B0_&uBJ^O^$|F^{&| zo;RrHwh~6-S`EA zMu>G#C}k(MD7ZM6Y6jxN`4w}$Se;Rly?5cxPcFZSpoC5dqRXA`|4ccnwm7h&*}{k2 zXoE+*_`MZ@k!0C*Wls)#1MAaMz<%=@mp-djXh@2KI}iA5PuyLp^REaSORxHkCHLeU zJ>`aAuzquwoaI+s+-fID?#I8_%+Yw`=W=RKPIOuFIgx$MOL2;rw0XIZsVv|8ye4{7 zD48_M=hJVFW8B=5m+xJ81MF}KIPatqRm44SVcR;=SY?nDevs6K5am3Ij4LGtG_^*L zRErW4;BTtQuPC8@ZXxDv7DpF3*w7&W3@3jSG^Z6z-YXqt8!ytk(xP#dmkmItl61>J zWINy6*J)aB-x?O#B=Q{!hwYrCDxPt8uo;RWu6*5WWIT8-_3}+^85t1aDn+Qse!Aqc z)_Z=dwY0=Xt8z2lsd?9gb^7v)%{(2^Z=t}tteqp@t~TDkjrUh518RW6rbRHIwP-gV zVC&vaIv;jHS5KqID=h0vA*MMU|1tbr_Cu614jb#|^_c8SELdnOv9hX*o(9?Bx z#>ARSrJT`|B~udQ<2vI7ty??|%H}xG{I1hcCC|1B!nvH5cBy9L?q$8(t^Y_i_pZW{ zowsg%sS+>;I)2Pt(iYdN)=w}s-e4uqP=G2Kh+`Kc^EAkK>9o7kY62@HDs zc`owljP#gi1e!1T-byLF#D;Y#FfP6tY~B(Jf6JvcS2Zt7;WgLF7$%!?@Jcw^`5#hYmFW7j+{~Jla1|}ims7v zSo|h49HZ2pML%60?%bUi(MBFduIStAJWveMS21Bm72VuWYu_MWQ29|@D*3kCSaCIr(coTxRcIpI~{~ijP`mNDeHun5J+nnsgp2-sOW-$MCJFUgX zmvP~5eYcMZIv)f%;lVFID&Dv}VC_(l0;+dfn~@&&201Ig|d^)If<_`%HCr}kh`VcuKEt|ciHRH9LZ z^2ijfv80Z+Gja8c6{n~ARvFvX-(WKDdL}ZG3);6<8ecB&cBs+?3z8IUEGZ7CHowa~ ztE;5}8^TY;Xp)kD~dUtJz%-e@kKWl?G{^X~2A}B^B5uR4Rcb!&b+0l?s&C zgPHT>Be=xhVh6`{>~%HAyDc%_0mTB%;J$*`4z z&UR3$#|319G&z}SPZ|nBBEM7-ipC1mFZ&@l&)8yr#gR1k5N$|`jrFGR?JzS;{ULOk zn>YY`ZIAVxjEAEHXp8db6}Forqu2(qD5aU~@NSPJkm-fX2P4R~bKi zlp1z(S$&27TPfwu$!cp5KnZg%F;v4;)ZX6+^`44G zafW0+NY}exKzm1$VLKIFdGV7_**7y}=Jfd^xhNA8W@!Pg2z;BTHBaP?V+gOHheEr? z$yWtE$G>399PbD4`jLSZ)-(ZyglAv4ij$@Fo)@v!k( z`@1I6?7mYyTh7&1eqIfyjLy#-kd!kmpw$^rG{@ZS1@{x4qN*X6xv8L9Nc-M(CPDk>{_eKZ_3`yoT&i`! zeM2F(=uljkq-$|FQ=uI$>}n6Cw!x4GfjG7H0x8M=K--6Zt|TP`y@)s&tgo;J(9}E|hCwsSvyq2`Z(Lj<8RPSmp3qjfH|csuVJZ-7*Pl)v z3)N?d0!AY%tu*x;+L8Qc{jEk$ycu;5^zt0xjO0_UDsXUhMd{h6v$vn_Zpm^>o4*$L zhCNI}qH>mzo9$sj!rG4u#Yt~EB$HYs0u~18z3|Myh=RN}N6;LpS@x7guL(S**^ejm zgpiYl(FJ$1ViP|`NtCX9aWC1oCP~+7Ef-^PUtwY0ko>XXO`I6c+H>J`b49zBVee@C&}?=D%c;u`4*8Cgh+_RlZf+xUe=^Olyb+Hce& z*@d(wIZjo}z#iVcJySXX-7zV7tOZr4RAk3gq`aZ z)h(YAsG0k=|2LCw`*uHfRu872eelMSl@3gmPqJOzL`NJ9-iGZrzh)WT4yV>O(C`r} z)b#CiXN=EL+>77D3C^nrKa*F&Tk83c92ClkRQ(N~t0w zjMcxj|CE5b4wlNRhFln%M!jwmzrGFJSy%EX(cF@gz$G40m*o_b6M%(vl%sEK7phb& z`yzC*mj=^gjNcxF*F1UANnQ5=L+{5CGpOjR^W@VKZDjmX+YYy++o7g*B8f<8k)56=4Elgx1+ca7kDZbF1|t+0_H-NFw_vBr!TCyHu}%G<&sjpk7Uw}gLzzAemdeYGo!eXs6&K=4 z^)2vz@NpY2XoG)W^b3+S2P8hDPU%{eK^jyBBTCz28A#)!ROK23e>uV7^J`qX1KuS@ zbT8F}4c7ihl4PEQydn|9K9=%yHpV_b#MK`AH@YWIUvn4Zna`V_!i6PQOGnKg=%fpf z<8(|YBhFWEy_-M)HJpmU9M9xQbrn)I!@50_+;lRf+sn4Ct2Ij5@AT|tYE z<<5EVEXikGiFS zjn{H{PgQzV+X|oMWd-w1tVbUu1AmQ6_m9fCYM^4iDhJ88h~WpXv_|ar>5RyUD}MhX zCH=yEU@C#IL{V*FE67$6NluV(f((t4FYKKELrsP?f@AA*?r(Rf&UAbT~UT|b6^3Ob)jHO3F<;``UM%RnK z2-^e8&p}FT-I3L7$z2tYoNPcU{F{yAm4K8pnIUPFvRCs@a9oyJJc3JFT|JWpt4RTw zM2Qi5kn0dDpR1m84kWCQ=4D}!5f5Zb+UAx({`$=C&$hkwd76>wXvJagwWeaARQ@pn zv9thR^2g0}rPd^;*YQj>E6Rhy@fRf}7q{jZbB=B<$<+tODGLKCHkg}JvAOe6TH2`S zcXqeQWRjnj*UT-yyl3oFTYEZm{Fa7`s*1gD*KG8N`9)1DI4QcDx$TDSyRgHAgY@}e zG#d5jwm+9r;EM7ngbjP$h2_tWR-2axo<<8|u`o%850@b2V@UQM&UDacn+1kN$P1Oc z4M|{f>SeNTgy#C3VJQwxO@Dg(Yaj3oU&!HbI6tP$iN;PPRLCND&`sQyXek336Jv-X z1*6?!IRd*0Ky7SR98a#jP0+KN(ivhm#3Dqi%c|>K)dKs0c}cggV)-+!Xm){YKd@+c z86>`e%mi}pM*-#-f1WaZSxY=y*U?Gegt<@)uwjNkChgJ+FVI_&vhaLylLVZ$k=0T_ zkIg97_kGFLV1E>v`9K-)Rp!V*()E~g;Cw3E;0xWod9Q#sbyH!}c}gIjzI=sqf%CpN z@W-w#4SmA@`r31&YiP!1IMb@@mqD*(il_DqExE@-zSQ%tC;!J8Iv36){akK}T*wIQ z?<(x@0tI7U*Lo`Fj(~)g_<&4>#RUX9-`)Ynr&RL_WaD5G`Ov%jVy!Mk%C6V9d*7Q# zVACboeYgx}NTo_z&qM>qU@=~A*NV4UGxB%O1URIo24q7_YtEIPw*l@;1EP8~Wef4K zFh&saA455mSGW{FcAGnY)*GPUj2EQr1y*bN*HdI2+| zR54Btz0#RAqoUh^BjJ$|TEH2eq!iIBcnd>*2uf%B6>*AHJSfEnf_u2XmcsYUt z<4^$;T`){qn?uen0!4;yqLX!3XjN%+BP5|;h{YF58_|}*B6Vv_`Dwg2GmuDfBTZ^y;ewaaFDd_om~4`(N)wJDt14FXh@qc62T?B zgB?^K7ktpwehmKQ!2XWB1zMAMA@!_0SXui4Nay%V11BfI6MibJ#!CiUyxC7;DrJ+t zXR&A8Idsj8);k}rFygfoQ6mobe*B51?&^WiAuJ6-0%KUEz~uQiF}Eo6R`ZzvOneM% z^O3gSwtZt)5BVAFt|f@C_Pw$pGQ=4l0EE?+(To2<+MJ)bowQZ`JC3aR#y` z6_ZC>13fml*GAOVlwB~3&k!4GwZOXb(zBNQ)%qgR9h~&XLmblz?7r~zHQ^S!T{Ula z6#L4@Fj5uJC zpN|Z!P9uip`wKqKT1o_F>FQ?7IXGC&xmCQVi3EAQfv*&(FF@3A<8~o+BFXr}F&|3{ zsBmYC)fRM_BqHN4N%3CvxxH&TcdBe#TB&4G2Ksj26!DQz200fs!|DI8W`90CJ!Xt}h2ynND%=17i)WC)0)GQ?rtf)v{@=@?0oVaN zwO8Z6)jc!I=CcDEzR(@+PZzd+KktFs&sE@}0}3Pw667_69(pqoNSdMTUx`GaKm6T9 zj=$$5Ui!_*;Q=3@lY&0v4k}^V0+{-rP+Zf3gu!j?tVs?jfOfpi|HXInk0>uYYz5T} z;Oc?EtB^+HKIBxBu&(xd;5C)c-DP?Y6lq)3b6Z=`k@SQg2WHy8nU>E(VcJNcMf6>_ zhqkCEnNLe&f7HJ!|Cv9AAVQE;_e2JN)g8PmtB64_DLb$*;xmwB>8cF~rPzx%i%SEg zl3Z)Gdo7PLcpX z-Qem@;5J)B?S`=m{l`^j$A!lg0Oi()ZNX#20EUDdFbS?h^Bn%CK-!-O*|`@eUchd> zTOQ^FDu&or|8n=!&A@JtnQkCU!h%o@px@mfKR1+H+ZPI4nL7a0h`nGB;||Q>b#Y~9 zT~Q|K5dbu3hH_>Ds!7{TD82$cCgAzrxej_F9V1_W*Z?w#SRI3JEhy9bAAMTG=4eL= z21z=$GOZ3jcM)TN+v+h@f2NW$6uGyrz;FRL(%K*8wP4b}Ez{vTY6}EQTnO!T!!5H7 zj-o{bkgXN=0W`%aBj2H%8Q`n8y@<>>l*cO!7!wx2^Z+xxZcyfB2N5dPN}5cBU3?u>Ih_*3*k{JIBZ(tVGm*ATfMrP~!W0lS9C6QSeTItP` zbVFCrj9-ZZ!2!6PQ2(m4B1NG+1MF%t#$MiJ*-x@Xhd%^mEF%4@%Ds#42g4M;uNdwj zxH!qDwUQr+HpxIH$gW>`^MtlDne~{hE|#pLL;M-ra6nt90?&>ZOC6NVaK*3>Y3%g` z$&2>hV1U4e+}E(z<&Y&GiePr5N*%7#KA+BvAQ~&5FUiJ7DjAnmmdxKUuHaoxMgdiA z_3b?)AY6&v+rw^*m8z#TjE}7_b*6>iG)^$inhBBl47s0r4-2ZTgGJAb!2kmk-ljh# zL)v2V-EigyWC-z)*qus&tPW)#??-@Ae16?AM*v>XDpi7O5p7D_dsF*EpDpAvdau0C8RGf4xzx`^2kpqTwnLk>*6pXaj{cVR>iRK%jI$xs z5`m_UuoH6qyJrPY|GyobpzQ%G0(7m@|DtO>4Th)xU-YW~aewqbUk@}nwq(mv%gqFE zuKqcSgkluH9he^d=MV*q-J^C&>E979d8vSIeITcb2yg}~I|nO`fbs72SS|Erz|G3J zMFi0B(N&Om-fM@O)u{{#E0S#hOf_awm711G`U zbEaw_8p;}_fI$?{&tbu5_S$g|Co=+Sd=C)+*2YtR0i;S17A%$Whr13bwZVnnwgrx` z`--E#ln}}wsV!u1fLzCjQyx%sh5)Aaa}YTF%1(Xe)8!7pirE7Qebo+Z{lLy`iUZ}W zIFZLtRc_D)iL&nK-3E|3 zH|Qp(h40NPfsXszgiL#S#kToz**O8`Oui22g=;-HaqWzM_4BoDUspj^ ze%+isjDK4M_f7D$fcHmQ0W;vO*YBxvX2{*3-vLV@OoG*LfjAH}z@?5oz1eFw0<~Z? z!AIgfyi16Iy6wDmMbaTPyX@9pwp$2G8G&0h!hqU;}hTz*|w)Hn^>?23{J zyAFlsn41iL1L#4HBRd6H2f^$@K)wYn_iqdE{%0!4e=_*qfwHM2Jp$&q2hA>+X1?}n zTklM`o5zXiV_O(NEuQk8?ALbxK?3CT7d!oA)c0S0LoqSFb_P`>P)g2Uj+YX-94{|| z7$WEnl_)uQ+G>%@mwd+esl)iDWH?jMpxfbMg{rK|IeX7%?zX;9t%67z{suCe6p_*S z!0y%2O;D&efF2aI2b$W#ef$@*y_!qr){T07f2*j zDHVV1Fu@KB__wKxMj2|~5?{|FQdlr9?ECZVd>>=_(xfWO(d2-semB>RA}mkwCU7Tt za^@;oi?2Ks%2RIVwMJ)58?Vo#-`5yq!GsbUN*VrIzD(lG)u-{H$IexlN$}(-r{3Re z2s-gAmgH$fmM!K)Y8>^rk^%xtql9K$@b6^@-s^!Kp44~9hF_KQ!w$QMvZb!A)XYI{ z&EsG?RQa+2Wp|*Q<_~YsAJRSlDUX{HPU7yH3}67rJ!nE4c2}P0OIPc?c82qm zQ-OTtOx@am4=RSS?QxqGvT@Vb3h6LE&l^3?tD~iHR>_IvmX>o9@2)^_yRd7fP1}!i z_sYv~i>2+s_a#=rw4;4l^L~8P@ML;Zk#FLBTJPBQ8u5E!&ZxU`ulKNQuGwV;aM{0# zR>nh+8s5@nO-oCaV~YvR(|BrlAf6>v&rKsz<(h0frmwO+r-vetoV!rOfyRU$9m=77 zr|{nzry}hy#!T{)hDfrLpr+7zn}yJ*Y~_+Ff`*B;i{kuVKt$RNO31Z8C4>fO9}cRM z^!CP{zEGcHHtiJNo<81luj@n?@b88-fCQt{Qd_5t)3Q$lY0*Svb8?SkDhy@t$bOJ* z+D_?9L?WG<8+?c|@lu(?79lytARgm@pep{q8ow{7alb`A*B&q;swm~BsVS1Sd87N; zy~V4YZ;jG&^|YKo%}kHYQAnMK6K#dDiqo5EqD0cLiH6VjHPF!Q69tpoV0@^P9pY$Q zT{OH{{;+j8F{9~%?)AKKJA{QnRc5xGdKw?T zo>_HeKe;WJ1t!t)XH=TSrKu6U@?8r)FiB%d$)iU4DNMVWNwpYiznpTokxHS|f;jk& zXWbiVRdQ{^;Zb)!6el7~yxOMO_l3{x_xkZ?i!wY8rUoeGS+=WB8&gj}-wP@x5>G55 zulSZ%%Rjat2F6v1q%2OKe`@U9hdhW2IHG=tH@dr?S@6p3@`0m8aOvv9-tZE_!$(PQ zoaOoY4khHNmu*TewQg-65*Y!Xer0p7e^Wh zH*G#1xi0fTJ{4KqLqF5};a7of#)FIMst+ip`Y{WtA_d|0?*YzkQz*tnnj}Ic3$ZOT`z8|g!xW-qKB22_*(iNx+RtNb; zswh6B6|~E`ui$gec4aSAwciHSunj2DYwVvutQCp8`SsNhueG%|g z3qufd8Ihf$#lo2_9Q?ec8hp3p8X8EQ+;%Zoy|E2z3;P>#PG@{g<_e-(RW+Ov_1liq zoFwApK<1$61ymqg>@1FYFxLn!BZrR^;cvU#=Ba*rI8TF{w@@65gqyHaNct-miz=|n ziO-Uj=v&Wl{VPp`Z(FEPrNqM>%@yW)*|9Foo)p?zCJgo=G)x7=J@?Pv^FT=`vI_>p z{xm?I4thOhC2la>xxc1PJnkk>byO#}dW@;E*DLZvKMI_C%&e(m;%ru41kdI@-c${E zBFnif6hC!SY^t5R%8ORP@#%txV+Da0krz&-TTX1a1j+QHX5UZkg0<-G0`H~fEU{NS ztdR@d_7W>EHFddb;zJ|+5-xohviyWzPA#c{bR1D9L|nvk1b1DBR}yI%mM z&ytY=bVnomqejHMcEegUuO)+HVX(LFp;Loy?k03+U^@q$R03dnW{`MN0*il~^i!|= z>N&%1cGz1mlMaJ*Wv^5sr5& z=ISlNSaaKB>_u9E{T)3~f5MT!4!>xMHL*v!a>sTvWVY;P{Gd6(aTblm+tW;n&%sV! zgr3myrxkre#ylBwysDJ{SnUg&2V<0?2)+p3DrtS%0TnOkF`Ayk-e`kS7mBd+3n zZ;qb^@gY}2-vuWBMiFz(gFfT8y@^>qYxkr_(4d^=yD=(aw)G58WAP5sd7SfC+|+5=)ou-%8=A=s|p0AB)ZCk3I?{@p(q zd@}0FEBSP@6&z}6$ut6kIXt7ywoNMyf8kXP0iZc@JSQf3eAffl$8>&QFqIhokxIocQm2unn3@#l&=vDYvRs_pD;)7`3G zi6C$zlH}};W5uoueQX1iccxHWE* zZxq%6dPf5+SqZ!Xe`%4d8u;2PG3Vd)50-wXV~&F`?9P(#0#46QZ7#9h5&0#nYL`Fx z5O_<2_A5qNV-&u@hkidcA{@6E$M3>S`9#gN+-RG6vr~H~HdH+mK^-$Z3WF67lgf-o za)V=yWo%HHSw**ay84BGAK0m~FApu>VauC`6*Guo zY;oTuyMq5n5euf7Y;J?yu%9CnQ(C>TGEVyJ5(MUv76gue=!lh8Qs{00sQG_e6AP!9 z8DcWCj8_>~5@2m8J^TT*XY=xA>=ouw=mai0Gu(M-udl|7j7%eUslOL+vnB_VwqMeq zTa(~iL#=x8*7(hjlY(>jtIoj~cx)$5t0oQ6vev?~F%IgBh58VXrN;2ywJPOh1(Pg| zq@g0jEm&Rd{$w|7Tlm@pr~9@$`oS_eNV=g{3#9;E(=w~@OsfW^~uVtuE1}`EA(~;(jY0@ji8vAHb0{ zbI)i^3;ml*+~aKt+}WG2otZ`?R5dUzBKzrnB(OZER{HLIJ;wxJVzH4rOY z{m8Bqe(f}fE}-rDXAuU)edDio{^Nf&vv%69SZclYum4u+>N0X)(OHF>Zy4-MCl7F1 z7E1QBQ$dIfw!-z9-;oVt^*ScRP@g}I-tkN070)^|@??TyU+&b^8lJvBG-^;Ux0_)r z2id>VM8YJnIz5ZCq|}2W4aqxadRyCJs;Kk~E&1$=92eV87z=B;*P7A~m!f}`<*y++ zJ=$Ta!D@JP)DeZ4|DX7`!n*dZ_wzZ* z3AlTDZF$+z+P`jl(tq-<;udm3r@fz~H$J@4Lixm2?C5!Z=S-%@?9>+$+qg4b$A^2l zNS};IndD1Z9*TcCHwc!BiJFHA*>zq=P5k8n>2SL&(E6c?Ha*|q+L&e6(N;`?hM zGX%Hu2rwb@kna>6+;M+T+P%#3s^iXOTwtsMI#R)CN#U1Ec{#aT+LUEmliMlh4veH- zj=02`u<^>nk7%pUYkYw-`rf&45ilDKZ7a7#pR*mPpV5s{?w9v^{n0tU;N(H$g@%~e aap4o@A{^Bc&LB94!EUH)Ud>fA4frR+>8OVQ literal 0 HcmV?d00001 diff --git a/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp b/identity-and-access-management/key-manager/reference-content/assets/scaleway-key-manager.webp deleted file mode 100644 index aea4f39151d79f4dc94ab3668fd7e2949224b4bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28656 zcmeFZXIN8FyDhp90i~-H2`zT2jiz+Of+A7_2m}<6PUuCtAc!bM6i|^SO%h1xB|s1q z0!oJvAQSx@`<`?6ckVgoxj*jB^Pn)3tjsmbJI5IBc=J;4!5t1( z2rB>p9Cx*D8UO$z6#O}Lgc)q%mLhb3{~dMLdguiJY$xbH48X@vC&5MrFM~Tb0CcC& zJov|9dkq~804RxP+kMOg0B(_YZ)zC%Gf+m^f{ZrO4i0p=!;han@}5sGaWKY=u{!of zeRzQxuXRy5q^O&1fDoEgG;BrSqf{2(s=ejcW1RA%k|5C&1JiINoc$^Fg3DbX z5~BVLxL5o;bZorM@0!5*Q_p_eUR?{=ywYJi^GU}3!R2k->{`9;Pzds&m4dZja$5J0 zi$8otu6m;#S(Z+}A865G*S!u6^M-p>qdt{V{tgJlcwtSYXsKE0>Wd^Fm9pBQ2ByZT zz~>zF7iYtms%mO|NxGcmR2X3-?IW)`k23c6V0=+0&K`UL(B18pDtL2KK)rG=dnwQ- zZ4qyzOmCOXa`NN8!AVKoAmzzBT@7gLU&=ux+?PZ+GB0C?{j7KX)!2xGIMQRpZc^+7|*(RhvJeKijP+zdZan zGDKOcj%`50?f~(ei{4x$S(*1p#e|^%6Ji9RHSMmX{Pt34Xq4%0!l(;Hdt1D&DVtq3O<@&0IJ3qv5T0jcx+a z*kkHIW`rSO%HBqV3pZe@IM;WeN1I^eH{f6hlO?nPfbhVAf_yF=QpSAUI| zDBXsueD@4kbX;%P?+x5spNhE_dP`?kOW@#gs1DK4s)uKc{GM{;U3` zeB+wSy~D6KN;9u>CHa7yqlbwA^@%DRtKQpglU%;DX;adqFK0La{K$YlL&{C;y5&Nv+dT> zO9X0Ec-67y8Mu0iOopU8EOAOzt$TDvt>SBPy#cs?Wh22+6j=N+^@p;E;q;^OD)XF{ zN00Z;BmDe~I&ANo#$pom|(02`_z|zp>DWm6TQGjUQFft(PB1}mQT@e}jw5ZX` zOwD$#HG4z~_EBHE%uqVODXHkGif{XHydQQ?IhH}39Vz~TN^z}e^zf^Mw*Dq`J_+3%N2@emE~a$mXlMAF_^N@S-V44%cn!{>V#HhN;3tvw z8==e9uAHjRf3N_L#=!-caNF8B_&2usNXJKXn3%hR)C=ZBEAM78)c%Uw=D}z%HV~ny z7uzk1OWGiNioIt?VWL0zd+?j@Y+Y!~t_KGzt~m6%PlD?a2@zzT%bvUWt6C4?5L>Cm z#X$pbUf1y_=^I;VfnRW)?by<*7B`0-iw>ua?Z;Ndp>-9c^z94<3i1?Jby6R%@@-4G zL8do?o&JM%<7Fd?ejTM#oujTl`Re(`O(ME^9c1HdLtVAsL>^}VTwj5A?)W{PwgQU` z?tywnMh)v$4&mi|HU~cGE+&MAwBW8Ha)PH?^nGvWjc$1#;Cv|0RP9n+^us-cXvQBYj%$+AZb>UNojz>DPs=oBg$O-dQ-h@b2y1#d8R`i0c> z8DA{&bPg0U?;RQ~m)J3+UVOD|2x}->UdR%mtQ;Is-#Q#MFM{M%>J49zQ$mW9~i{J$@#xHFdV%WqYGAkN;dyKIu1gS zha$0$3LcMtdN!K0k;GE8Q9@l!^m`R!A|3wdGx7x=)M(3Lo~MpgWx@vB+@kPe0NPP! zrS`tI_ydePc0x~2pYVI@?5VRoUr@}o?%7{6zsi*7465K3VkMjl!ati*F)_b{z{Bnt zeXeIVc3SG(MilVhsu~t>V_USf5$lN99xQbHqmX&w%FuY7V}88ybyXUnsiDqJ`ql;` zaFq-ENZWG!lBspqh{-Y0p9u?`KZdCCA$3uCZNUp;(*r_f%MbYuC#(9-Ji!mY+fJ!o z6@8VCF6Y=F@W7OfwyS^VWi8RFtVSMh-}&?it|lm=U|=tu>-COkg|KA$O}=x#EH0Cj z1*g1z#WMUpRBZ@^mSC*5Eo9l><3)`=bZ*!;|1iDoGWKJF;=2C0VPsYw!`!IBYJQm; zjx=@vXe9`XmZ}Je7l;toxRpXP7$(G;Y~o#sX7TeSM>z}>X2(goCvkUtA{>`43RAWW z%=I};fXNxFdc5plKeRMQe#HS4v(Rs{a67)Rywv=a()}%miyh~4e`P{@K3x$`w|ZkC zV?~cAwU}QM-(K8k>b;DW?AFU-M#RXsYV|0 zqir*vW_%LJJayZ%Miv79N!wuydnT^G(Kqg$0$KLq>;-}xmScc zrX`^hPB$m_6s*kWmr%oRNM2o^BiIf~&+hwsfy-WTs*4v$5TFOEsNH_7^nBDt!49j| zWcc$556FZQK9^`|Yac7JwDdw$tun;8Fz*X3N#dg5fJl$BmFom9pw)u@$zC{C&o&*+sfeE^VvjW8 z&kUz`7>aD`9(rAc{J?Nm5fH1n2HB03YaRM&Q>Q5`T@4 zM$7}U+nKlC&AqQ5vI;C9Hz*ltGa@wOJz`5ss6Qlnf4BXqyzAuh2oa39RVGwPp96^E zA2Ef>=L;-=tvonuwg60iX=h2uPwkWjJr-C2?l@_F4x zsHC8B9@>PT1tY#N_BV0}f}?iz`{#V)AvUi1X{3-^n$Lt~nRP+$YJ*x(+o%aq5+;d| z4zANkDNJ54J}?W=@u?4Z7RkZ@o$`?f)LXW6xG(o}Xusk>q6nkod)g7Ryxi*+RhngR z6LHvW&hHfsQXXZN;_bWOVFVHcqrU*J(@aE1KT{9(&94Gm9ispBa#1uo(=&5I({RaY z1Ru9URPLUd7Wx&)0^~5$5i0a)?EP%gal!^1b#qE1F*1QMcVz+}JXc|6GlHKeS{Y*i zD0GA%tfiqZ>dcWODc@3SRpEQ&=nJm;+fU9IZdDpN*ZTqLw9{cAsyFa9Q*)MvEFa@M zWp?JbI@aIOO8AVBs+m`JO$!tLs`o)yZjlA{-{|2n0BNE=> zn`^UmMYKp|ictI}k{OuW0#`xzGY9DAhZGT;qPy@M#I>noq~g4mj<8(lmC0V4)cS+F zv!c`CuQIUIC}_9C#>PO-+I$Pt8>BUVQT*| zuCi1S1aIS*V6l*Q~%o2txA)Kdv|>Go?SmBa-^SdFDn-t+o@@z-CvK&Ml*Om-joeo8I9X^ zV+V#=C9@dSS#p?bkS7-834Eu%n`l~wZmZP(Zpm6jJWOv17}*%TUZgs3rk%^hp5X?d zb%}n@nLMnB-MwvJ+O%%f!*e%nZg?A>``xY`?~{~rOV^}whu!2Qr{6L~8EeU)4*5H8 zc^~qJOOH=(Lyt3AZ9{_q^#E&bMZnwrDdN-jbFNn}t2ja2(N{!40<2{Pt}`fy!>8|6 z7c!Re<_M2gYh*qb7?(#OHk?zRvs5txz5MiW5iKgUPif1q@wqNxX=V?TlsDZNc12)E zj55Ez@w4@lJn3D{n>Ns;GyPND3uqOhhY3wY^ZL&?F9iTFI0|9}@NttK?EnCJ6?__e zym`#7#XMNzlP|sB=R{gTkcy50fEHp#Sesq_e&cGrv|9DX^>BgZs{#yXW5xZISEiUM zw}$R1EtTtCUZ(=vJm`{i0oDx;N zxHAD23>ne~xp{&Fr)c*m4sv+y8_VzN%^zL+L2rDN-c^KMJ<4#Fqo84RK863dY8a0} zjmulTYS*-~zAcFyjI4>;6XEv8eV&DO1PWg!twz<741evjGEDkGtI0#$KxBwe0sx&S3Ft z;kt)OiI&=!Z1d*2jk{GJ0-BYnyM+b3%z(Zge{*vv+H=bI&Gj!~IUkS;@};nV&T`|a-)QU=J_~cw#scx!05g)X;Zqw_*zaCZ(5JS{wIv>myd}l4f)IE z65<3@RSoOyiC<%}xXK$XITP6s<;s=sB+d7*wG$(#pHj;fReoUu^Q=CSrNk7%x zm%GyL6bEk!2`X9ohYDZXwd5UJw|oKD;~u}bTJNk>Z&ymrCH7t4CV#&7E}g4^Gi>us z-x*ScIp4w4inP^=XHo6yz+D-X)wu0;yDw9YtX%YkPbwt2Ep3c+X{ouO?@Nh{>TA{Y z1HZ1wRbEh0`w=XCFmFx#Wo&|U_mhAb8jYR|9bY-msMWmdgFYoXW;ZY@nTSBOG<3pd z7YhOh3Tv%Nx`DF>#Domxorlzrrit$v)Q#_?E3HaTT#3*}7!Rcl?0ZyOG@&UL(P9{6jyv#d~?dC}My0 zuiU9az%UChHxQkG~!;jui){6qX+BD2L!ZoKvZqP6^h^}0Y0o%+Vs^{{C==V9>n=`$zu9 zK?yYyhf4&|PLm9pu){tc2H)U}g*JE<>_ZIZQ8vN?5!6DpnUYD268N)A;l)Dl4ERO~)0&??wYYr(QL& zIoTgP*J*Mo26iX!ll6(t^l1obAtpz6W%OM|svmYfKv3w6gA3m79dgw9*|%VQrdu#> zVPd@CU7;gry-E8D>{8B$r9g#T*CzFq8CFr<zDQseq zBM! z7twj$S!?=0--f|fx7<;#C=eGV7rHJJ2?D(>?Mlg}#+w(bO2xwR-~(&aO@B&KGIG73 zf!R$#9<9mPiV?c@ZIrkp;ClUQfYoeoGTy6il{pCtyKQt`pDN8H0P{Fr_0|aD5JErG z9oD9qGd*P7%n?2naF_KBTKY}K`DYhRfrQWfzYtFBn*KW@l?d-;vV|GV|6|9!XQ%51 zKVu(lmz)WC{Oz(`^`WphI*Ap2XXR06dw<7APNII(UxByeMzUz%1U}4x)w+op@TTMK zxiHx=4O!!y0-x)O$llcmc%e~kZ1_h4MFbIb@30?K%|=rW#G1ZK2Q*YSQttB*5f z^#TyK2{r>cPnkQV=j+eKtiY>2I}T!IIP~HxV&KFy2HU%7~m7jP;|Gk zGHCL+(o|_S_`IGyV;H;KPF|z$LB}gf;00ADrOL&tnHApTp61T_ooh6wm4Ca;Z9%2& zn|_P{(38o=_rIXK{}Xrm|GyO+f&Z;*>Ax|;^DgSlbT}6{lV0V5Pd3ve&kvj-byhFR z$oqPhfb00ICZN$$b1>6vTz|bE}8R>(#hqcYsjW zb=-pVTi!%O<;)hgZP)+=V6OZ0gjz?lY@NE`7xXaSyS=gq-O+&Bd(i}@c%}@T>v&z? zy%x^$#4C)he@rsGNDuZG%H%0&+7X$>V=xKX;NQh;tS%$(-opLgD-9`PZ zMhlH7V)c2gF%OoV%kqq?zg}Jp58`J(4`Rs3xTE$Ro(xknce+X*`W3muUQt8`uzOXZ z)iVC*K_)?>D+=A&GOjQp>^JciHM;+{VY84!vV%)RbRzuqrqAqgp*tF2xP_Oi3PPDL%5 zfSnA8j@ZG^3#lrGT+$-b47=vp$DbpNtOU!lPzRQXEPe(I-KWciWZ0y$4>2?;y;=M|& zGduLjm#cNo{Goz|gmzN0Ioy?BFgUp6lngl9;PU!kbX0*?`Y%tp)@!2ywxrDtB@WkY zEV9Kjzz)=D)Il<9`)LiWIzY$#NE6~ovy^c7_V;tfSM4(CF{p1Sj9unGpJ(MFFx7h) zaWLTM%7U{5p1!SGHWxDH5R}I=u0M;kQ!X0&YSTlQEd=BfVCVi<#8yQ?z&4ta>NnhU z!Nh!H0m9g;KanuDl$?^`3?v{y0MMHrj$aq#8*KXEX5Mop!*n7{mtE_Qmz`f_OqCL; z7$aiyq>AUnO(5qiC;^ungV6}YjIQ695yg%N+a=T9C>dxP%x%%u%hC*SqSMUnZMx{K zBMb?iV6Fq|y1kE%oz;=WHjk-3*x+5)A0=2GgZFh_5x+ zY~aJaQO;L!L(_JljNsx27!r~tQrxU7C82uPer4QO;eh7;k7AmfI^y{CRz!wxv9#IP z(C~0vd}(2T;UY8O5bS!8Dg-E2zsTrBtkm=QNiH^!;?#CB28{c=$3$eGzu?&ajuker z|L{995DZhz?Y*tL%6otA8en6vV1?ifplK)3!s>9TNd)W^w=LbGTm8> zQ#0WWI@D0KAK}-a^LQo5MguP@dBLHOUwH4Xdt6{8Y2_LAxQ}PX40$_p1OEPamA0=X zQhkwZsu(Bo_IqXyHA^C{6He45O&?x9h4F*$Le3c{uJ5ewjVp=ycPLVWsF@2!0W%k? zLflcgI6*b^}vZx^Cbx?44x=)Wof_HGJ>W=b=kL zf;c!H-S_dKnk}nDdc5Ny|$D_wq0QX_XnO492IIFgk6GZKcIeap=gscT4qk zkBF-Lv>gfGr1VsvvjS)sE)PL?&9enPCGay5z4)-XS8o* zl3H6_=6u+Mg=1W0c7TAB3&@XUg>1y8rC6GGIoGa~bnZ4?sC3xYSTa>RDj~aoKFhT` zyXmiKKI{9b);zw{*`_y!W0_u60pYTyT}^HQ>LTBsKBcFE)6^^+YGZ7A*sd*DKFXc{>0BGzZ-Oyly-gb?bg$mkoC4s zZBh_wU#S1<0~gzd6=J8c2|vo8he_d}Ak<&!z|vdV!hsE*k6n3`CK*up^EmQ_1=3v7HLHI2D~+B z?g-Z>%#pE%xZFLS-vIQ4J_AFTok4^Nhh6aLB}pcn#)4q?gzj7y`x0t(q1LIOv7n`P z&d_uGGBN)b^0b2>>{9>6eAOtHIo83s`zsflf~_29^IDPs(?=Q2sdN2uZ5gOe=k|l2 z9`Lu`Lc-%2#Ms6XR%eyR4&pLSt#T~;Mm(l&i+p1Lx0N?8V7VmN zucoC&LO5V~*m!mZA2z4>{G0aRnXItB!3|Eo*uIiW1qYV1O7i{(Xzk>dp>;%^WU}b1 z>^0-&@2Tc$dX^YUsOrwc`RV{&R`md#v=^PT8$0Ahs-WW8vX%`%{Uk`ZKHi0Kjr)Ab z4ApDgTIlqjBADE~cU+ZVoNXAZ8+_;>WDmEne*&?NoIpOxzD=efq`u+s=fw_hV@wXN zU1(e5kOW@BgLzJSTe3;1vb^5|3Tu01;=Qh6J(l0i+rOpu`Y}mCGqwzSA$gxbu zyNIznj%Zsel(iTU8xHc&e(%vWDShpC8P`MX8oI?#$!^bD;~QwyHk8;hG5&7Pb{*vK zaZ&ZjMwgpK4C;AwQCVisb~kRzlv(cft3;#ol^4AC?(X8QD5(xN$X)1vZ_EoFn(82o z+zvII&D5p&z<1XhJ?#?L?){E1(%vTLdPw76h>Y*+lZ!^PsJW;wUj5P->X_PcR_y(^ ziDB08z2X`#S8ZsU}DvlL9d;GC#M;NJJ$z*YF% zy4P+;`(Rhi^Ab_ust_pHI55bq5C;1P0l99%d!wn~{%AOQqKJ8uptdx_eAc9%*v64) z>?b{bl1f89#zYmUwo%Ju;Kw0lnNhAAc@Y-bu&moM=OYE@6yx7$oD7ige}M0G{_=** z{FInsqrJ6ekn)+IuLVL>JqsUsZL_^}J0zo}<=UK(oRYEOGJLeTfAC-ZNAmGFd^jvE8kCGK{?l zBt)|w0m>7QP^LTIA-lMMEQzLfsj8l_KetSyv4fQp%;h+fDOjv&)l5rmnniIpFzcTE zP{xc`s3Z{Mba$}o&ayXtm`~P)Ke9#OIZJibZ3$Gh=Rm~q~1_XkzMZp4p_Zwx0)L+W46y!LQdl5>h1P&PKN+h43Hkr-OtC`$vk zPd2Dd{0ejQz1(2QY$LSU{ncNsI0Hn~+?t@M=>E08)p+{%3WLf0|68=GZuaA6mye_g;|H{7hX!5PXHZA} z!pMY`8_CvTq=TeMMFt$Ur9UdtjzR$gR#1;IGhoVD`5q!ao9n`Ol~8D3Yu2-k#~z3P zP}pBkwn~jHez+D;eNjw3ucv|b&@0dsOkpqs14g++WPJ7FZuWp{Cvof7)fyqf~C4_qqMjf99`wAw+8Et&A5H#BT!#vob zo8C0Y1&D(_K`5o*_*F{U&qC`lMHC1cB#enCKiW^cg(ZWzf|w|(Ob+goO9v5vRNf~S(6*#bm)LA~I53ABvj_5uq`YF+yiMS+sY59U5ETmonN#$6 z_J(?im^wbG;GjsiR8bW?>x*^YzR_gepbnM1doKsZ-n(xW{-U9c!E{xUrMWHd zC3IElfqNXA95HSEy-q;LJDqxKG%x4URNm3fpUX>e`EuH}O%Kalhm}&8@gFDy8{7v0 zKv+9{?Oy!~CZuYB%v6{0QkiPPa0Fqz7!(n(zp~sjA9>EA_=j?4Z`XW11*-Mo?mZ+G zv|cHgJ>pm8Q>_^W*;DPKY}cE3L;nwQK9RAho-u*<8FD>`Zlm5;bqZ@vWUEMA1;YC2 z!uwVAq36~=CFjO|U9mdWV;#D19(E3l?9*{Y+v`cu{cUv&KC5s|lDnloaZf#96tF z|AdUhQ&LAC2?FYNbjbut~Uuyme(ki@0KQaDrtdWrvP*zMIy4?L>G9IiCQJSD&7 zR0fTNq1{Y$wfSGymDRI7>Ev4aL&YCOAk!7(GC=H)`60P8e9DJ`n=imv2r3Z&mN@<| z1-GwsjjzorZ~!FavNfaq9$rPD#LNixi_ZQYJm_*kSzvq4f0C>1;l8>TW#ZDwDA}>V z4utL902qL4X5Q|-Ub%VRZ={~T)3tCZTS69>9&I-Ebp|PUu^N4BtLwr?{EyUt2@v{5 z3bdHW4w`fZ6Y5_X&V+$8vvTTe{+&vCI#}iQ7U=b+8-^ZTQhok=+RtzN1ZZq8$}MA1 zj~XIM>3&IhBEOH5DYD*IloU`(AP+G7o}PsOIg0eKrU$O`R7GPO2zJI!&}?RC94(uJ z;~E$k1T%-G^A!<=bFXn=9FC^POvi=66j4m+gb7FK&rq*Q;ofW%!~9&fw36#~AIukD zWm#-^Nvhn#@PRy_CHIl|L}6LGO^SwwajPbDt}h1;=HjbEmzUi}=J)p) z)sf&(Yngj3Svk5LjNhj1T)M-poS?tHyhrwnFP1|&xeUNTE3m;)@Dv&DeIG9=vX#j2 zVWCd&)o3Wozj1augyMR%1z9fa;j@Gq)j%gTa$t}fxXZ`>dA^+M@Fg^SNn!Ya4%K%< zS>Ss9*`7;Dbrzs9n7SxO?+4PQEO2W6CBes_rS9P2V?X$1lB%h>jVmR)NNJQjCka3m zL9ui2g+0P*5+Uk3)Cc-%2x|L{A1mFY@&(}yw`7cmWAafD<^4e}{=soeOM9>7hmT!d zmsEH+-=46m#sFb+-k_D|?f&}Oxg~P3HVamccl~7z?Vaiok#7eT(S!kN1bQ@r*zQ9_ zbZ;}Q;v4>mUSMIct&gpCN&x+iCqU?LHmAD*i?_VvTeXIeLacmhY8$sS6IE`IcChfP z+K&ieAvGV0QQaU;y;yJcMH#**=#e(7R~b4Kqqr24Z_EOFKU^OtxeRmh>~cJyN~pTe z&RSl0tQ1;EH4fq)k(VQz+WD0Hs>t=lcv10*UFpLLI7}SMb?-VC}<<{p)k4*)PFCDty1tnVrV$ z?_Vn^a_xc$q&yZg_FP;mjTSMPgWp*!*b67+M^N`aDviY-EcdF+@*QSRtF5frY}4Ny zY)&)uHDy-jZSX?@$(JVgTa9~qhgns(IQ~RT+xypww%3a}e$n<#+gLjRvtHl#5f<59QYK1E4Q=c=taWZVlgA^tP7N>5 zezV8YCdf>{BlaVJY%1hS*U0`yVNZujXP2m2%Yw%FZ!fSeA8t z$%%ww_ZHF;x#lQ=C)7ezwFwUjDNR{7`>WNcEE#?r4onc&d=K7qE>R~jD_`OfK{NSo z6?BQzgxB$440FhVM!iLfSX%8ShnoU*Y|u0|D@9~<#f<5(Ht#!IOxES!nAo@i*Inw% zpkIA*xzsP<)Gt2>Lh z$*0Og`>;^ocZ&;vdRjd7f3ksWmDdMKoJ&ccMCm`qzCo3Gwyh_Kx$Q#&bei z)I?X`JFAmV;+zvPW39zMnXwmjN)UH^I4sRMR^9o_y3%`z^)r9+CCIhruHKFJ@N1a) z`JjgVpT|~-3Ad&tr;cn{K&YfH)XElUpg$zl#aFhpoCqqGmw%uhYtO_j zhk%RuiyP~l^tROK)%^kM;gbkX_oAX7v#AdEi zM8TkG!eEWFJ9arH_j0mWiL>dh5NAi_Ue;73V@BwueR4XUsxolq4H?OM_&e2d{P&Gp zlVKj9B}DjT6NVybj#EneR2!cm4%kY7$tiW2f<^&B|8&aE0d4+ib7*hTkLQrztUTD7 zhl$~&V_C=uEEG@lUW%EI|+JYfrMIw>j1 z>auWt1`}G9KD1Qt!xkxQb*r~#KDp2w0zjkaL^v!1c8>!VYp)ucV*U+eUsd2vfsF1A{-i#zvh!T@@$3l`8Npf)x@t@|yBlFG?5%2+D~_3YBhdMguqEkT)OQ|pIA zwJz&A5gY}M|DMNS<9JtT1p3om$A&^UG&tgx_>8VY1m9+soRv(sq(FK*;2Y)~+ro_( zR&<1`m_VMK$stS78rWipbL<7YuVKwe-sh|d&2-g?(j>2wj8UIm@^j*W=#a*V{IH8E+;qz z5vymIK|iQ1oj=?_aBsxuAl!ZLnCEn2%s+eCzt+?=V}cW>M+DW}K&}P?Sm+HTWcSgS z13B7zNzF3A@hxew>+6>HFOy&vU{Ua2pz-q`D0Z%guBPoPb%%0+MnrIL_Zon1yiLny z7G_&TX`zSLs^dX&4~8r)Z7_8=G~ic-ZQ)NS7()#@)H?YxAE>O$0b0Bu>TyJYDdfP# z7np8dHi3B%5K(Yfx@rzMfq&**5=-!dvv<}jYA?Qb6)h~f0yPv1nj7CMuf%)dW2qK5VCVb^QXnrb#{fY zr@O&tKrlX_4$cJlc=KQ4eK3diuX$C#99X92{~o%ZP#11tviIJH$O;y3vi!A1BSSze zZ+2dPu$RXCkGB7QM;}8h>9oH|{x9ukE;XUkevP&NNc%rW{*Tdqvg^Bl(tf^!)PI%s z4~Vz@rTw=~Joyi_pO25{|7F_mH1&U>{lW16XSDz7f@1FfXIOt2=gqz`yJ4P6h|Fgy z$3LrK)n)z7oqcS7EKIVRo3+6Ww+;cljP!uXC|)~#Gc{yS(s%T(Ohn7mqFg1Is;nR= z{eVtzMv%WKz6afQlL-Cl%Yh$L&q*p9g3c?JaM1S#K2HD7xyMfXZiNY1Gld`p2eY!~ zULyXay-t-Nbw9=g$PuWz(n*=^o8~LuB~rZ(NZ<U7|ZJ%C$)@$0DST!D9kb3q7D02YOopV-sr7j5}aC0#{+ z5YP_lkrhpi^&DDqbbogZgRtiGADzaAp$+4pkkDF6^P2(bt*BKg`t}K2KM^P6Bi6{M_4qJ1lu0al z&Udo)42RY^WOp!VfbV%BB0klTGR8IeV%6>V+}D%OIl&3|*9DUQejNH|ti5kfcSapk zsvH>JeQ{vtCT;45vI1*%akbL(zBW4tEu1$q&S1^=SL+M6MuL>~Cc7YEb98Y<{hsNc zSvh%1;3X_~?*NaBcc1hAYTQ8?#^T`8;bYL#biYyelF07rXCl zegEG4aL23o-H!c}vb*L;b8h*IxYe_@4GXNb^Nnk+-#$Y8YBx=+$^(;QOPoUPl8?i{f1=qw?sS} z4Y8(P6m;fol$S1waS-~E#@1jr%Gn_g6w&p1U^o&fDhT;7Em2tfB|c5IwEH$w;~B}V zkO$miJhD9M$6=TuCjytNPgb_Oo~WR};Wr*{b<4C7ifyh3?!_4r=X5+|JXHR~r3E&x zGG}hkRWS8h(?9uySXJUDCp^vwJ?P*UO1-q1D(YL2#d=x#OHAFy4^WX(7o^WynC}~x z*!XWOLQY^+{QWYda7XUf&tH2Ik*x~~s+R#*ddV5sMLx)VZ?Is-tI@`a5Qk>5C+TPW ztQtwLSvp@KN*s>b5Tw-q*f1`;{*;LRj%+=r!0D4Ui_eW$7(`4B2m5g_7KegJ1OR#r-Q1KW-kq*pAMQca#*!5T z!ulH(!H><6e2L!}$vAc3nxPvtjT^eeX};J%am52~_b z0!^u74~^mV!yJ|wR}ZXdBxK5BYY5(avvG(fbdW_vj^Uf017`d->fl=Vp?A_jDoks& zX0M2L%zV+WL9B|HQioviQ=nDnb^0_Km>?r{VZ&gx6`E~eA~>*iJ|HzQf8nkSzx?5D z#edA2*v&86FvCiwXBvcr=1YaeY8~(G$p@=(dw*&}9g7<>LKJAf&^jX8kMB4~0MVRa z%m;GVVd~|4S~f;SN7OJC%1ir8pZpb&pZj*qVccRn{2{|dCk)DJ=9gfK#xN!@ULXJa zrq>FVAzd9V1XG1V@H+u0#`g{ex*m|oHTotTl~WPG)rO!X4zM6zI`B!P+^wWUQ=&A; z7xn3-N`RICDPD7%ZFeSyLp zH@-L8F!(;4W)b~Ql-*+=)H?H5rfuvV`a)-lJ}N_#WA6u!~-vKF!RVkbB8w@Mu2gy@1zQ zU@2V7hcCm2pl0-_nPAXge-D=M%1v2(el31vA1O%nm;u$=Wx2P6s0umspRA-VF4Y_q zhvarp5ciHgetOyGHCQ5A3D$4Fl~WJ%1yfkyg0$bP|2cXx))vMMmS=awG8R;X?}$I$ zGZQh}4%#+Zqa}^5ZZ<8_H!Lc6d|-8OE1t`R zkP7n!L&XTSOGWY0{z&&4+o*TF30KYd=5%R#LzU4)Xw?E$itdI=@K|biT0%gOTpL1W z4SvoK5xN7AC?^mm9OqxTJuW*4c(d=+4{m2hoIa?(wo_~+zg>5zWic?B1eO(+fL}Ur z)^ge(tO=Jlc*U7M+;!W+_Y*mhx01e%7pPq|1^%=kY)ZY!HW#&;85QdMXI`E*_N2os zXk~R+Qkr*bya>Fta4!D@zPa$o*V(#TKM>OAgUX+QG(k{d+SUYqsM|v-#L4x?zGcww z&0ER5yUQeS21RkMZ^)_}eM43rS-%z3g2d->tfx_97OqNaaZLO^^*>4#1AkYV6rEXZ zFrQUh_ham3;N`Xz^10OdvrDd=L+;VsFtfK*!ET`bloD8r?MS2`13K;^n5Am={@A`-Rxf9l7wm9ey?J!-;k+-4klcyYUiTaM`7olKGaBmeG;u?@YlJ!d}@cg z1Lne+z%#Ls-I`o$ZZ4h7c(de`++P@hB! zs#uj1(0^lh?iTbAROQNls&)Xu_we_2l9_z&d4n#nmT!qXnLjWbB}e*8p#g^O^H}eB z>$yR!_ZS5y;@z#WtIPltfgbkqQZPwc9QW^G{X7qHeGOdNvcMdhcN!ob2rmx&W7vZSC_k@Z-B34;JAJ+LuPpWtWV zO)N523`t-Ux_5jkWR=M;lwOVEIdndCeOF9Uu^z*A!l1_6aAoVZB`l`P9**VOd^Y3Y z4Gmsa*jb(%=T)pA|WLSAX z%fTeBOS0XER*f)j{6DJu@_4A;|LsAjk)@(VF-l1kWsPJ_iI6n*H9~e-6GpPNSXwAb zmaH=v>)5i5LS)G{p)r_wzi@_j&!kuh-}Ky*~du^A9s~&Y5%W`#$&m zeqZnFy3W?v!liDccDT9GFy$Pm1rMD96}Ni8EBFz|)H>Jl(f$WvIf&qDb93dPK7xB+ z$j-XupgtXxaX!`=hQmJ^w9_ikj&b%Su^vR8-l$u(&QQq~ZuV}942z0d9b9=jcOU@U zIm#5qd1(ElUchip{=o0{FMNW2NuZd21Xd!8e1s%cuW?S4b86XXo4a<`ZW~fBX(EP% z_f9e$)-$~25%+S~*M2B?eqL^~eWjM^-GD`{DDrM!;p)Siwc@2wml}akbYa~0XM`%K z%s)X5f1L381_~FXte{IUI*6M~PK50adq&QBz?+<^6f(^(4MYGg)8!TOF<8cM&OL0& zx%W{$UbX((Tqld}Jnn84`W*6{bN?v8j%Nh5T=dqsD(ZHiwCW10XZwOdrNe)(D!oxa;Zm;rKe(z-!t`SKi z=})84vF^ktl6mCNq56d;@rpS-(hT`zlT~D$e6=YT&^lZeP=v5D%ZnHhMWK$?seKPO z-Kn>=Q}f})jTw`)^-c}T)#ERtYbO?mrI*<27_6XBFftUqKTRZj+v50%Pn{XOG+!}( zJ~l4nLRZtTjn!+9#z5CmZHTx#9XX8E_BV)`G#@x`;%~FKm*mkxUV19$Q+{l97gAZO zTOgPTBCWu#;Jww7$PWl%ExI34#nK(g&pve1WRVd(Qc~&_oV-uQhPb)74^v93D~&6R z%R=Dc2(?j6bI`XBxLzLrLlx+|HpeFuoS`fvn% z-^k)U|Mmzb!sZ!2i~7-a!)puucB&o$2zC}jYIY`$Fy<@9J7=LwZJ0R$NF+U%^DprG z->APz66IQJiEIo#S;GQO7Fr@+-1?$gW{bD^xq;KZT#KDMU@877aP)zckHr%#!*Jc- z<2b=U*7x_Z0STQle!#0<)=?YG1}q97Ux!ri;1Z8ae8R+(0*X-qkOhVJWmp-4*&kv^ z!Q`XCOko1l=;1x3LSgQ!{N#pe8R<5DaCHHEu0%1jZ;VWIQGRpa7+<0Gx)*;cVj2}Q0 z!_6_}^6GaCj2%iWBd^KFQ9?7C7(1#vBa4;}ZpZ}-N+`zcVFl+z;Wm$hi3IYpG-?)>M%fw|WqdFg9RobrxDG1?hSH~*G$5kV1h-<#=^DFJHY|<68{!Y0 z#$$v_!r545bMuSA1=QscCRis_sR(8XXnwm~r%8W=*)fe_dh9oC}Z5DzA0IQ7W;t##Xsq?`Wf ztL+^ZW=-|(DGkunEELX`ok8e=t*eu0>;nCAQCxEgV;-g@|=-p%Afm8XoKKM&k zti<(lF}sHSQ2_862GzCz^3Nbpe?8@5+>wN&OCuDoZWT1^RBQ+{NvI@m%=^^GuvB5; z$9-%3UyQHJI>KV%0B91(tC+GC7e5&wAUH+ZOwrqPUZ);93`>WD(=5rDZn8|yEz+;G za8S;?b?O&Z_jZNHO|TY&U}y!ftz_i-qKS zNop|qa8E1ChoyUimRiZiHVBuT(nncA1OAAwXU)In2CO0S7g4r);+Ia8uQkOhRyPvG z*9aY@Yo%3Vc%=$YTFfcS@rhlqJizjV(PIxQD@bc#x6H49^7y&mb8CX#bge~c_NcyY z@vBxvryqkM03~E=*|z(*McT9Ir10w#gU`~bWN*R;Wp^t(VktiGT(wUugYs+86rDHV zY>q26ri+g-R>I0Z7vq%rS5XROD!cm&OZ(z4^I_cg%Atb!x&#O31ks6~=chfMR zkHar~sl7(T4@Pv15r^MDWS&UXjNs&PO_m(od+uyUF;dNT1-)Gxp|kS8O9 zC!6fOvT!<}+ADv(EM*LR%WhTa4PU+YjlJ4WlwJwP>6#t;X;BRLV8Cw!kiC>8*Ba3^ zXnKdBl8LQn&}R7M`>iJqsa}a=4_uhq+EbrJfu9{PG=ET%?B-WF-GWLq-={kEhOB-&+M@XoK!wjLZd!eNG-IP zlFzozqo%o2-dHI~}1{cQi zm#f{%o4onb_6m#u<(4S8p;jQAm42^>^G=jOl-5l(vnUgiyW!(5Z!Dbm4V;sm!p2** z^~#+|8XL`)_{H=U&b9}%4sn7{6F{nLrmtG;jB^?7()440BRzEDs!w?%TA z%^LOmH2w5vjN;em4Cq8H94b(N3Dv z&*dn&`C|=HO9$HdxY!U;QeAe5zv#+;KFRK{jipl#`g^D&rUs#3glh`xfa3yCHYaWM9@6 z`n6xp%TeC8`asfoD*Hy@Tyk@a-gm{C7xRiPO6#e97vWVV40nSWRmj@$6<5~>)}KD- zyd=+xD3F@R%l(%e@=hYjg&D%=y@^4e^zf<_Tb56jP67|I|MZu6*4{Ax(8 z4N4n3Z6R)WH%DpS@^Ne`fl6%KczY0W)lB_d+H})oI)rNe#CImJfcpIgFGOI=*uXwq5kqng*2UjuD!T}m<>8Ivd zU~`b^CjF~yKGEt|iuFSchvC&NG96V?YHd?)Dj9>(R4;Prt;SSD`EL)1MZWJ^!F?TC z*t6QZKX3^POC$8!0D4T0$B_OlFhY^ z)S$CZ5KJ#7bB5nehmTt}#56d3Eolrgtu`cOTpu;B)p1E;scC#ZIg#h;6A_wU9AwAl zb=pZ+T5VzkYk2X-6zNG&d{ABGI~_k|Fa14lK)40C$;Keo0`%fLs=I@IK%5wCxAaI* z;n_>x!J3hra2)Tv>qw~2`{`L%D=)SxTEGQ|liQ^mZuylT#nc_^=r%bF#P`#oBK)q2q`>DMH*L1& z);mY4B<@+(R*T4v5^j92I2HcNeRy$V2BiqMB+(YSbEPNkQ;qY4;uNOxi}N4nM^wJw z%n16aHM%N)q9izNa^mRx!Gm|HqF+UuORtx`9tbVA?+-1uV?A!meSDX4l@(yWI|#{^ z%a>R1e4DYqwZxRH9(AisNQ0bH&YLn|z}|_~K2}L6?4jK*t!FprQ(nv~oY!!@>AMN@ zuC2AmI^(#qo`992sE!F=NzKdvGPx3O4q%wWiaIN6+MAx*CLhi_UgLCIAB&}~eviNG zWbJ^%6sA(qELG@TTP8AndDCct!wy%)t1}Tl^O9qdbI_%ssQ5&R5mIPdk}7FAy$;=t44g zI<#?qeVf0>sL$`|ra9;-s!}JxCCVn}_&lracGDnB;!T zs?zA*TU-9ptLsYWv}!lU<-gfx}x1SV=xXvkV_I- zh`1B{W3kg4bu@7q31KBi_;HYMLouI0v5&fQ@A7A9Rf(iZ`?cw&SWni&Fk1<5OQrNW zd{-y(eq<>}&|h5dk)BbC59o!#zCrLCpvwF|M$zecfJrh~;$Ov(;5t{tndh$I2K2t* z^kQ*PK{lg!$QyH$DZzQ}X&X558Bq8VaLHl3f4g(igiO~2DwpNjfY$K63llrcVraiU zpzz0U?U$tq74O9o&EYj{H91CS1ZL2cikyKQ8xc9qZi8pqTI*WN_|V506qA z0ZNJS^Qa~Q*9o(1paf`g?pprnJk8^o2Mi}%2j87bBPju-Xs*t+a?p&51 zK_dYFP<~LEjAelEQDzv?mL8u}pV!BqyA=)`*a*y=VNA@gE?HJL3tg6NVdem6+`-Ui zL-QVCFF~4HK`sQyReZPPAoEcdLHQ5(*4!LX;E|#K(*`aa*D3>&aPRrUaKxM*V6vsN z?EFrP5Vxs?3Y8^h?P=sey1r}pa+Gqs)EZR%>X7-6u_NtV+z;nPc z1Q>eUeM}HJ*3|?M*Ah|Ic6X{4_KXA&oQ{Qk;jrM} zJ3!PQidhQN_sXLQxbSe6yqUniI5Avp{25;urQcpUAnXkCgV8=N(D``O=R(*&E&>PlM7 zIlX8Awj~7s%LiT(JITD&VAtE%$yG ziv)gW6pQ0mcGN4b>PsH_13~QjVan^!R`2o0t6e}RJq+XWu38$g*;v^J4)90-d^L(c z{yAp#W*G()0-(n<gj)EMlDR>*;k3 zU65YMVvGvf!p&(%02cHXR70RCGyU?pBH5AIewo?#YR&@~^>|O=+V$8WG-19(j??Xa zaRQLFLBWOQ2=;t%$?t}1{od8Nzg{Y`*fJt%Ej1)@8ZR4^=I*lS>x236`#1;KOPi249s{mf-QNY$|;l~0X-WYgd;E3R{dL&Z{T%bjH&&__xt|G zY}K=VRrZs1j9h@b1t>`5l4)vto4wW-f^)JMAk+X%Vt2}*Cf+AaQ=I5*H!$*wb>tV>+gg1GYmm zRp!MM6IANJAB&x8*CA!(3^>cYzzLcEMh6`*}8smA{Lh$WDk=g=RiSPGg zPNNkfaZWdAvuF#Qjusv-$3Yh(J=eN1 zEOR-dSFdkeNNR1Xl@r;mLQD+gfS(+2T`Jq=4~^ktkN#55`NxAcHuJU~7s-LjjtYzH z5?%TUidq;Sc9d=u$^{!Zq44Q~g`D20FG|VJKO_gunD|3Y*axXU(^5w8jfqKMh*AC2EX@quJ*U21M%-3Se8^GLlIm(T;sH)O&u*0w=<1+F@x{GoPkGt*+}d=V zvxqrmz#Y(FS#Q%;4ARjvb&`SiP;cy<{DY;oDBI}@_pmXvCKHRmYp7i4f zr`u26827>HavrR+=Ogt;Dw20{TH_ksBGJNd1YJI&Xn|TfRaP^@@{ulP6_q3kOR)i^ zK-iHxV7KRnG8-57F-Ls9ATU%QzUpqtBNU$GYxJtgpiI2YD?|F4RHwp0vuQK;inX%j zCvI6P<85-RQEH3D_s;k^T$+QPS};k27B61EfIyF8oc?Y-@A`AxMoI>sIpuY^7Zj07 z(r#}&s1B9ldsCUpAK^OfsT*GzgT3n9fIIGa$L0mh1q8on5q92? z?z!>Xc}!Y5n;&=;L!!xoLrU`}JX*|PFb;^sQgDcwE2_0~0Ms>0grL$mC5?G6094ta z68yg-)%QdJX%S7zlNRW{r#X&4{(OP~;y(i95g@m&=SvL+S%8)9u0LdMQ*|e z|IzBl|KIFWSiv^%IVu882bi#1K7-E$^GwN)ICn^B120sYk+t$)WODoMFopq>u0ZDM zi+{5|;G4;D$`5wtIgBwK#=MWHbL>GnC^@A|f)x-9t$(WE@V}R=f5uhv{~Gn+?LVjw z`1dvTZ=UeUwqrq8^7AYfQ$h22?Q$&pg&+;a$^j4R-=95~=c3*WmGPN60^>k|I2WU0 zVyWqFfrK#FOS?+Gf!?PbX9}*lnOcL($Z_6MLzRt+^OW-+0~Xq`Qc{%Drw2!kom__0 zFnht?JZ+o*9Y}yXEUoulp#m=&svLI6duL%Ghl7XDb7HtxL>jLct;m z_7VQp*0t@1$)}&!5WEaJ8?cI$xfIa%72}YTnIr6Ifo&J)!%l;uJ8DX1%)c5qXZ(F~ zN;&^*TBlN#M~i#|6y(XZl)+Z1lrso(Abz_8pi2MQkp~yROP+|yczH^dDa-@ zHQ-{u4(s}=lqwQAhf9VYOb07@St(#cBOgz~>-uba^`XA=00tvW*{RdkkVv=Nl-V#c zC}J-|5~{7dWk6;P1Hkt#6`OnQSw&l?78iBC$_({>so6hU&lm=MX>v9@;M)wYq5THM ztP7U5C_r2;+6tTBA^V%C67%mXB}t#aoOkjpnz$rg>gj6HM|Ca>)Dk4@TodoByYKSa z^V#rC)Wo6OBZ?-LhU5+%%0fNSZRcD=%jA~yjI#=>ltwR0_ui$|G diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx index 9a91f1e66e..f2b1d56140 100644 --- a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -7,8 +7,8 @@ content: paragraph: Learn how Scaleway Key Manager secures your data with encryption hierarchies, key lifecycle management, and support for advanced cryptographic operations. tags: key-manager encryption data key dates: - validation: 2025-01-06 - posted: 2025-01-06 + validation: 2025-01-15 + posted: 2025-01-15 categories: - identity-and-access-management --- @@ -19,7 +19,7 @@ You will find a diagram in the box below on best practices for how Key Manager w It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](/identity-and-access-management/key-manager/concepts/#key-encryption-key-kek), which are used to encrypt and decrypt [data encryption keys (DEKs)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) stored on the client side. - + ## Why use data encryption keys? From 3dadd46dc20311105047f6c380e20e25ccc5385c Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Wed, 15 Jan 2025 11:39:11 +0100 Subject: [PATCH 7/8] docs(key-manager): reviews bene & lulu --- .../api-cli/encrypt-decrypt-data-with-km-dek.mdx | 11 ++++------- ...crypt-decrypt-keys-with-streaming-aead-tink.mdx | 6 +++--- .../key-manager/api-cli/manage-keys-with-tink.mdx | 6 +++--- .../key-manager/concepts.mdx | 4 ++-- .../key-manager/how-to/rotate-km-keys.mdx | 2 +- .../differences-key-and-secret-manager.mdx | 6 +++--- .../understanding-key-manager.mdx | 14 ++++++-------- 7 files changed, 22 insertions(+), 27 deletions(-) diff --git a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx index 4ddd07413c..eb30d34b4f 100644 --- a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx @@ -23,12 +23,12 @@ This page shows you how to encrypt and decrypt data using your Key Manager [data - Retrieved your key encryption key's ID - A valid [API key](/identity-and-access-management/iam/how-to/create-api-keys/) - Downloaded and configured the [Scaleway CLI](https://github.com/scaleway/scaleway-cli?tab=readme-ov-file#getting-started) -- [Dowloaded Python](https://www.python.org/downloads/) or [Go](https://go.dev/doc/install) +- [Dowloaded and installed Python](https://www.python.org/downloads/) or [Go](https://go.dev/doc/install) - [Created a Key Manager data encryption key](/identity-and-access-management/key-manager/how-to/create-manage-dek/) ## Encrypt and decrypt data with Tink and Key Manager -The [Scaleway Tink extension](https://gitlab.infra.online.net/secret-manager/tink-go-scwkms) generates a unique data encryption key for each piece of data that it encrypts. This method follows the cryptography best practices of using unique data encryption keys for each encryption operation. +The [Scaleway Tink extension](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink) generates a unique data encryption key for each piece of data that it encrypts. This method follows the cryptography best practices of using unique data encryption keys for each encryption operation. Tink is an open source cryptography library written by cryptographers and security engineers at Google. @@ -178,7 +178,6 @@ Open a terminal and paste the following command to export your environment varia go run test.go ``` -
## Manually encrypt and decrypt data with a Key Manager DEK @@ -191,7 +190,7 @@ To decrypt or encrypt your data using OpenSSL, you need to send your encrypted D Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data. - - **It is not recommended to you use OpenSSL in a production environment**. + - **We do not recommend that you use OpenSSL in a production environment**. - You should **never save the plaintext DEK on disk or any permanent storage, as it poses a security risk**. @@ -274,6 +273,4 @@ Open a terminal and paste the following command to perform the actions described Use the same cryptographic algorithm and decryption mechanism as the ones you used during the encryption process. -4. Delete the plaintext DEK from permanent storage after using it to enhance security. - -
\ No newline at end of file +4. Delete the plaintext DEK from permanent storage after using it to enhance security. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx index c05b55eae1..e53dd17f52 100644 --- a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-keys-with-streaming-aead-tink.mdx @@ -19,7 +19,7 @@ Tink is a multi-language cryptographic library that simplifies common cryptograp Key Manager handles secure storage and management of encryption keys. In this case, it is integrated with Tink to manage a Key Encryption Key (KEK). -Streaming AEAD: This is the cryptographic primitive that handles secure, authenticated streaming encryption. It ensures that large amounts of data are encrypted on-the-fly without needing to load everything into memory. +Streaming AEAD: This is the cryptographic primitive that handles secure, authenticated streaming encryption. It ensures that large amounts of data are encrypted on the fly without needing to load everything into memory. This page shows you how to use the Key Manager Tink extension to encrypt and decrypt large data streams using Authenticated Encryption with Associated Data (AEAD). @@ -57,7 +57,7 @@ Open a terminal and paste the following commands to export your environment vari go get github.com/tink-crypto/tink-go/v2 ``` -2. Create a Go project and paste the following code in a Go file: +2. Create a Go project and paste the following code into a Go file: ``` package main @@ -196,7 +196,7 @@ Open a terminal and paste the following commands to export your environment vari } ``` - - The example above shows you how to use the Key Manager remote key encryption key to protect your data encryption key and AEAD stream, you can also protect the data encryption key using another non remote key. + - The example above shows you how to use the Key Manager remote key encryption key to protect your data encryption key and AEAD stream, you can also protect the data encryption key using another non-remote key. - Associated data is authenticated but not encrypted diff --git a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx index 8081128a79..86ccf4d33b 100644 --- a/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx +++ b/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink.mdx @@ -211,7 +211,7 @@ Run the following command to encrypt your data with `Associated Data`. In the ex // Insert secret2 into row 43 ``` -Associated Data does not need to be stored, as it can be infered from the context at decryption time. It is also possible to use a unique DEK for each payload. We recommend using Associated Data. +Associated Data does not need to be stored, as it can be inferred from the context at decryption time. It is also possible to use a unique DEK for each payload. We recommend using Associated Data. ## Hierarchy of keys @@ -223,7 +223,7 @@ However, your application still needs to call the Key Manager API: - At least once to encrypt a newly generated DEK before storing it, and - Each time a DEK needs to be decrypted before use -Thus, you can use a hierarchy of keys to minimize calls to the Key Manager API (or any remote key mangement service), which can slow down your application and incur charges. +Thus, you can use a hierarchy of keys to minimize calls to the Key Manager API (or any remote key management service), which can slow down your application and incur charges. In the example below, the application only needs to call Key Manager once to decrypt the DEK Master Key. All subsequent decryption of DEKs happens locally, which improves efficiency. @@ -258,7 +258,7 @@ ct2, _ := dek2AEAD.Encrypt([]byte("this is another secret"), []byte("id43")) Your DEK and KEK do not need to use the same algorithm and cipher. -The example above can work for most use cases. However, there is no "one fits all" approach to create the right key hierarchy. It is up to you to decide on a hierarchy that suits you best,according to your application needs and constraints. +The example above can work for most use cases. However, there is no "one fits all" approach when creating the right key hierarchy. It is up to you to decide on a hierarchy that suits you best, according to your application needs and constraints. diff --git a/identity-and-access-management/key-manager/concepts.mdx b/identity-and-access-management/key-manager/concepts.mdx index 040c891ca6..ad6215f5d1 100644 --- a/identity-and-access-management/key-manager/concepts.mdx +++ b/identity-and-access-management/key-manager/concepts.mdx @@ -43,7 +43,7 @@ A data encryption key is a type of key that can be used outside Key Manager to e Key Manager generates DEKs on-demand. They are then encrypted by a [key encryption key](#key-encryption-key-kek) specified by the user, and forwarded to the recipient. -DEKs are **not stored in or managed by Key Manager**. The user is reponsible for safely storing and managing DEKs. DEKs should have the same lifecycle as the [payload](#payload) they encrypt**. +DEKs are **not stored in or managed by Key Manager**. Users are responsible for safely storing and managing DEKs. DEKs should have the same lifecycle as the [payload](#payload) they encrypt**. ## Decryption @@ -149,4 +149,4 @@ Symmetric encryption is a fundamental type of cryptographic method where the sam Because symmetric encryption relies on a single key, it is generally fast and ideal for encrypting large volumes of data. However, its security depends entirely on keeping the key confidential. -Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. As of now, Key manager only supports the `AES_256_GCM` symmetric encryption algorithm. \ No newline at end of file +Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. As of now, Key Manager only supports the `AES_256_GCM` symmetric encryption algorithm. \ No newline at end of file diff --git a/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx b/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx index 400d5e5c23..70990beca3 100644 --- a/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx +++ b/identity-and-access-management/key-manager/how-to/rotate-km-keys.mdx @@ -26,7 +26,7 @@ This reduces the risk of exposure if a key is compromised, thus enhancing the ov ## How to perform key rotation 1. Click Key Manager in the **Security and Identity section** of the [Scaleway console](https://console.scaleway.com) side menu. Your keys display. -2. Click the key to perform the rotation on. Your key's **Overview** tab displays. +2. Click the key you want to rotate. Your key's **Overview** tab displays. 3. Scroll down to the **Key rotation** section, and click **Rotate key**. A tooltip displays to confirm the rotation was performed. Rotating your key creates a new version of it. All cryptographic operations will use the new key rotation. All data encrypted with former key versions will remain decipherable with the former key. diff --git a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx index efc30e7934..44529905c8 100644 --- a/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/differences-key-and-secret-manager.mdx @@ -16,7 +16,7 @@ categories: Secret Manager and Key Manager are both security-focused products aiming to help you protect your data and improve the security of your infrastructure. -The difference between th two of them is not always clear, and you may be unsure which one is most appropriate for your use-case. +The difference between the two of them is not always clear, and you may be unsure which one is most appropriate for your use-case. This page helps you answer that question. @@ -40,7 +40,7 @@ However, this approach can lead to serious security problems such as: - inadvertently storing your keys in plaintext, or exposing them (e.g. in logs) - incorrect (re-)use of keys: your application would be responsible for using the key correctly, which is harder than it first seems. - - not disposing of the key properly after use (e.g. letting it reside in swap disk) + - not disposing of the key properly after use (e.g. letting it reside in the swap disk) These are typical key management problems that are not effectively solved by Secret Manager, hence the need for Key Manager. @@ -53,7 +53,7 @@ the ciphertext to be decrypted. Your application is no longer responsible for ma Last, but not least, Key Manager provides another way of authorizing certain actions. You might want to authorize some principals only to encrypt data, and others only to decrypt data. -Let us take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database.The application would be able to ask Key Manager +Let us take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database. The application would be able to ask Key Manager to carry out encryption operations, but not decryption operations, so it cannot read the sensitive data already stored. This would not be possible to achieve with Secret Manager, since both writing and reading applications would need permissions to read the key from Secret Manager, which is sufficient to both encrypt and decrypt the data. diff --git a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx index f2b1d56140..ee656f10d3 100644 --- a/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx +++ b/identity-and-access-management/key-manager/reference-content/understanding-key-manager.mdx @@ -13,27 +13,25 @@ categories: - identity-and-access-management --- -## How does Key Manager work? +## How to use Key Manager? -You will find a diagram in the box below on best practices for how Key Manager works. - -It is recommended to use keys stored in Key Manager as [key encryption keys (KEK)](/identity-and-access-management/key-manager/concepts/#key-encryption-key-kek), which are used to encrypt and decrypt [data encryption keys (DEKs)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek) stored on the client side. +We recommend using the keys you store in Key Manager as [key encryption keys (KEK)](/identity-and-access-management/key-manager/concepts/#key-encryption-key-kek), and use them to encrypt and decrypt your [data encryption keys (DEK)](/identity-and-access-management/key-manager/concepts/#data-encryption-key-dek). We do not recommend storing your data encryption keys in Key Manager. ## Why use data encryption keys? -Unlike key encryption keys, which cannot be accessed, you can use data encryption keys (DEK) to encrypt your data. You can also use data encryption keys outside of Scaleway Key Manager. +Unlike key encryption keys (KEK), which cannot be accessed, you can use data encryption keys (DEK) to encrypt your data. You can also use data encryption keys outside of Scaleway Key Manager. The main benefit of using DEKs is that you do not have to re-encrypt your data at each rotation performed in Key Manager. Only the DEK needs to be re-encrypted with a new KEK. By rotating solely the KEK, the security of data-at-rest is reinforced without needing heavy encryption operations. -When Key Manager generates data encryption keys, a [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext) version of your key is retunred for immediate use, and a [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext), which is an encrypted copy of the data encryption key, that you can safely store. +When Key Manager generates data encryption keys, a [plaintext](/identity-and-access-management/key-manager/concepts/#plaintext) version of your key is returned for immediate use, and a [ciphertext](/identity-and-access-management/key-manager/concepts/#ciphertext), which is an encrypted copy of the data encryption key, that you can safely store. - Never store your data encryption key's plaintext. When you want to decrypt your data, you need to go through Key Manager to decrypt the encrypted DEK. Find out [how to decrypt your data with Tink](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink/). - - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Scaleway's Key Manager**. + - While Scaleway Key Manager is responsible for **generating, encrypting, and decrypting data encryption keys**, it **does not store, manage, or monitor them**, nor does it engage in cryptographic operations with these keys. **You must use and manage data encryption keys outside of Scaleway's Key Manager**. ## What is the difference between ciphertext and plaintext? @@ -88,7 +86,7 @@ The following parameters, in compliance with the [recommendations of ANSSI](http ### Key derivation algorithm -Key Manager uses HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in [RFC 5869](https://datatracker.ietf.org/doc/html/rfc5869) with [SHA-256](https://www.rfc-editor.org/rfc/rfc4868.html#section-2) as hash function. +Key Manager uses HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in [RFC 5869](https://datatracker.ietf.org/doc/html/rfc5869) with [SHA-256](https://www.rfc-editor.org/rfc/rfc4868.html#section-2) as the hash function. ### Key material From 2ee29a546989c05692c6ee68735341a8b5dabc24 Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Mon, 20 Jan 2025 15:07:06 +0100 Subject: [PATCH 8/8] docs(key-manager): add info about petry + feedback cyril --- .../api-cli/create-dek-api-cli.mdx | 5 ++- .../encrypt-decrypt-data-with-km-dek.mdx | 35 +++++++++++-------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx index c071e0b299..05ac1dba97 100644 --- a/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx +++ b/identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx @@ -48,6 +48,9 @@ An output similar to the following should display: CreatedAt ``` + + For convenience, Key Manager returns the plaintext version of the DEK, but it should never be stored in this form. Storing the decrypted plaintext of your DEK undermines the security provided by Key Manager, rendering it ineffective. + ## Generate a DEK using the API @@ -65,7 +68,7 @@ Key Manager also supports the `GenerateDataKey` request without a plaintext oper If you need to use your DEK, you can decrypt it using the [Decrypt data operation](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-decrypt-data) specifying the `kek_id` parameter used to encrypt it. -Key Manager **does not allow the use of data encryption keys for data encryption**. +**Key Manager does not handle direct data encryption**. It is specifically designed to **encrypt and decrypt Data Encryption Keys (DEKs) and is limited to processing inputs up to 64KB in size**. However, you can use the DEK independently from Key Manager, for example with the [Tink extension](/encrypt-decrypt-dek-/#encrypt-and-decrypt-data-with-tink-and-key-manager) or with [OpenSSL](/encrypt-decrypt-dek/#manually-encrypt-and-decrypt-data-with-a-key-manager-dek). diff --git a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx index eb30d34b4f..3719f2003b 100644 --- a/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx +++ b/identity-and-access-management/key-manager/api-cli/encrypt-decrypt-data-with-km-dek.mdx @@ -1,14 +1,14 @@ --- meta: title: Encrypting and decrypting data with a Key Manager data encryption key - description: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. + description: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go and Python applications. content: h1: Encrypting and decrypting data with a Key Manager data encryption key - paragraph: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go applications. + paragraph: Learn how to use Tink with Scaleway's Key Manager to securely encrypt and manage keys, including KEKs and DEKs, in Go and Python applications. tags: key-manager encryption decryption kms dek data-encryption-key dates: - validation: 2025-01-06 - posted: 2025-01-06 + validation: 2025-01-20 + posted: 2025-01-20 categories: - identity-and-access-management --- @@ -23,8 +23,11 @@ This page shows you how to encrypt and decrypt data using your Key Manager [data - Retrieved your key encryption key's ID - A valid [API key](/identity-and-access-management/iam/how-to/create-api-keys/) - Downloaded and configured the [Scaleway CLI](https://github.com/scaleway/scaleway-cli?tab=readme-ov-file#getting-started) -- [Dowloaded and installed Python](https://www.python.org/downloads/) or [Go](https://go.dev/doc/install) +- [Dowloaded and installed Python](https://www.python.org/downloads/) version >=3.9 or [Go](https://go.dev/doc/install) - [Created a Key Manager data encryption key](/identity-and-access-management/key-manager/how-to/create-manage-dek/) +- [Installed Poetry](https://python-poetry.org/docs/#installation) +- [Created a project](https://python-poetry.org/docs/basic-usage/#project-setup) in Poetry +- [Set a Python version](https://python-poetry.org/docs/basic-usage/#setting-a-python-version) in your Petry project ## Encrypt and decrypt data with Tink and Key Manager @@ -61,20 +64,24 @@ Open a terminal and paste the following command to export your environment varia ### Using the Python Tink provider -1. Open a terminal and install [Poetry](https://python-poetry.org/): +1. Open a terminal and access your desired Poetry project: + + ``` + cd your-project + ``` - ```bash - curl -sSL https://install.python-poetry.org | python3 - - ``` Poetry is used to manage dependencies. You can however use any package management tool of your choice. For more information on managing dependencies, refer to the [official Python documentation](https://packaging.python.org/en/latest/tutorials/managing-dependencies/). - -2. Add the [Scaleway Tink provider for Python](https://github.com/scaleway/tink-py-scwkms/tree/v0.1.0): +2. Initialize your project: + ``` + poetry init + ``` +3. Add the [Scaleway Tink provider for Python](https://github.com/scaleway/tink-py-scwkms/tree/v0.1.0): ```bash poetry add scaleway-tink ``` -3. Copy the following template: +4. Copy the following template: ```bash from scaleway_tink.integration.scwkms import clientimport base64 import base64 @@ -93,9 +100,9 @@ Open a terminal and paste the following command to export your environment varia main() ``` -4. Create a file named `example.py` and paste the code from the step above in it. +5. Create a file named `example.py` and paste the code from the step above in it. -5. Run your code: +6. Run your code: ```bash python3 ./example.py ```