From b8f8b97f5c2aad04cb24f0ee2bbc4c997463167b Mon Sep 17 00:00:00 2001 From: nerda-codes Date: Thu, 4 Sep 2025 16:14:11 +0200 Subject: [PATCH 1/2] docs(add): triangle project --- pages/key-manager/concepts.mdx | 10 +++++--- .../cryptographic-details-key-manager.mdx | 14 +++++++++++ pages/secret-manager/concepts.mdx | 25 +++++++------------ 3 files changed, 30 insertions(+), 19 deletions(-) diff --git a/pages/key-manager/concepts.mdx b/pages/key-manager/concepts.mdx index e3ed86627c..3b07e8d9c1 100644 --- a/pages/key-manager/concepts.mdx +++ b/pages/key-manager/concepts.mdx @@ -3,7 +3,7 @@ title: Key Manager - Concepts description: Explore essential cryptographic concepts, including symmetric and asymmetric encryption, data encryption keys (DEKs), key encryption keys (KEKs), and Scaleway Key Manager's robust features for secure key management and encryption operations. tags: key-manager key encryption-key dates: - validation: 2025-07-24 + validation: 2025-09-03 --- ## Asymmetric encryption @@ -43,6 +43,8 @@ Key Manager supports the five following cryptographic operations: These operations are designed to protect data from unauthorized access, ensure its integrity, and verify the identities of users or systems. +Refer to the [Understanding Key Manager cryptography](/key-manager/reference-content/cryptographic-details-key-manager/) documentation page for more information. + ## Data encryption key (DEK) A data encryption key is a type of key that can be used outside Key Manager to encrypt and decrypt [payloads](#payload). @@ -81,6 +83,8 @@ It also supports the following **asymmetric** encryption algorithms: - RSA-OAEP-3072-SHA256: RSA encryption with 3072-bit key and OAEP padding using SHA-256. (recommended) - RSA-OAEP-4096-SHA256: RSA encryption with 4096-bit key and OAEP padding using SHA-256. +Refer to the [Understanding Key Manager cryptography](/key-manager/reference-content/cryptographic-details-key-manager/) documentation page for more information. + ## Encryption method An encryption method is a broader approach used to convert readable data ([plaintext](#plaintext)) into an unreadable format ([ciphertext](#ciphertext)) which may involve one or more [encryption algorithms](#encryption-algorithm). @@ -91,7 +95,7 @@ There are three types of encryption methods: - [Asymmetric encryption](#asymmetric-encryption) - Hybrid encryption: An encryption method that combines both symmetric and asymmetric methods -Key Manager supports symmetric and asymmetric encryption. +Key Manager supports symmetric and asymmetric encryption. Refer to the [Understanding Key Manager cryptography](/key-manager/reference-content/cryptographic-details-key-manager/) documentation page for more information. ## Encryption scheme @@ -126,7 +130,7 @@ When using [symmetric encryption](#symmetric-encryption), it is generally recomm After rotating your Key Manager keys, all cryptographic operations will use the new rotated keys. All data encrypted with former key versions will remain decipherable with the former key. -Key rotation is only available for symmetric keys. +Key rotation is only available for symmetric keys. Refer to the [How to rotate Key Manager keys](/key-manager/api-cli/rotate-keys-api-cli/) documentation page for more information. ## Key usage diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 555b878016..2ad5b1a154 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -55,3 +55,17 @@ To reduce the risk of key overuse, plaintext payloads are limited to a maximum s - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) + +### Asymmetric encryption + +Asymmetric encryption is a fundamental type of cryptographic method used to secure data with a pair of keys: a **public key** and a **private key**. + +The public key is used for encryption and can be shared openly, while the private key is used for decryption and must be kept secret. This design eliminates the need to share a single key securely, which is a challenge in symmetric encryption. + +Asymmetric encryption is particularly well-suited for secure communication and authentication, such as encrypting emails or verifying digital signatures. However, it is slower than symmetric encryption. Algorithms like RSA and ECC are common examples of asymmetric encryption. + +As of now, Key Manager supports the following asymmetric encryption algorithms: + +- RSA-OAEP-2048-SHA256: RSA encryption with 2048-bit key and OAEP padding using SHA-256. +- RSA-OAEP-3072-SHA256: RSA encryption with 3072-bit key and OAEP padding using SHA-256. (recommended) +- RSA-OAEP-4096-SHA256: RSA encryption with 4096-bit key and OAEP padding using SHA-256. \ No newline at end of file diff --git a/pages/secret-manager/concepts.mdx b/pages/secret-manager/concepts.mdx index e22eb71cbb..a99cf23a6e 100644 --- a/pages/secret-manager/concepts.mdx +++ b/pages/secret-manager/concepts.mdx @@ -3,7 +3,7 @@ title: Secret Manager - Concepts description: Discover essential concepts of Scaleway Secret Manager, including secret versioning, ephemeral policies, and path management. tags: secret-manager secret version dates: - validation: 2025-04-15 + validation: 2025-09-03 --- import image from './assets/scaleway-secret-manager-schema.webp' @@ -12,9 +12,13 @@ import image from './assets/scaleway-secret-manager-schema.webp' Disabling a version is the action of temporarily revoking access to the data contained within a specific version. This prevents any users and applications from accessing your data. +Refer to the [How to manage a version](/secret-manager/how-to/manage-version/) documentation page for more information. + ## Enabling a version -Enabling a version is the action of making the data contained within the version accessible for retrieval by authorized users and applications. This allows you to manage access to your data and control which versions are accessible, at any time. +Enabling a version is the action of making the data contained within the version accessible for retrieval by authrized users and applications. This allows you to manage access to your data and control which versions are accessible, at any time. + +Refer to the [How to manage a version](/secret-manager/how-to/manage-version/) documentation page for more information. ## Ephemerality properties @@ -90,20 +94,7 @@ This ensures the protection of critical information against accidental deletion ## Secret types -Secret types refer to the different kinds of sensitive data you can store with Secret Manager. Using secret types guarantees that all mandatory fields are present, facilitates the application of specific policies, and enhances integration with other products. The following secret types are available: - -- **Opaque**: this secret type is used for storing any kind of sensitive data. By default, secrets are opaque. - -- **Database credentials**: this secret type is used to securely store and manage the credentials required for accessing a database. These credentials include a **username**, a **password**, and other relevant information such as the **engine**, the **host**, the **database name**, and **port**. - -- **SSH key**: this secret type is used to store and manage SSH keys, which are used for authenticating and establishing secure connections between clients and servers over the SSH (Secure Shell) protocol. SSH keys are a pair of cryptographic keys – a private key and a public key – used to authenticate a user or service without requiring a password. With Secret Manager, only your **SSH key's private key** is required. - -- **SSL/TLS certificate**: this secret type is used to store and manage SSL/TLS certificates, which are used to establish secure, encrypted connections between clients and servers over the internet. - -- **Key/value**: this secret type is used to store and manage secrets in a simple dictionary-like structure, where each secret is represented as a key-value pair. - -- **Username/password**: this secret type is used for authentication purposes. It typically includes two pieces of information: **a username** and a corresponding **password**. These credentials are used to authenticate a user or service to access a particular system, application, or resource. - +Secret types refer to the different kinds of sensitive data you can store with Secret Manager. Using secret types guarantees that all mandatory fields are present, facilitates the application of specific policies, and enhances integration with other products. Refer to the [Understanding secret types](/secret-manager/reference-content/secret-types-json-format/) documentation page for more information on available secret types Upon secret creation, you must choose a secret type that will also be applied to the secret version. All the secret's subsequent versions must be of the same type. @@ -122,3 +113,5 @@ Tags allow you to organize your secrets. This gives you the possibility of sorti ## Version Versions store the data contained in your secret (API keys, passwords, or certificates). Versions can be [**enabled**](#enabling-a-version) or [**disabled**](#disabling-a-version) depending on your usage. Versions must be of the same type as the secret they belong to. + +Refer to the [How to add a version](/secret-manager/how-to/create-version/) documentation page for more information. From c294449c80b44dd34733a06ce1da4bbd40d78c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 8 Sep 2025 10:56:38 +0200 Subject: [PATCH 2/2] Update pages/secret-manager/concepts.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- pages/secret-manager/concepts.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/secret-manager/concepts.mdx b/pages/secret-manager/concepts.mdx index a99cf23a6e..df05f62519 100644 --- a/pages/secret-manager/concepts.mdx +++ b/pages/secret-manager/concepts.mdx @@ -16,7 +16,7 @@ Refer to the [How to manage a version](/secret-manager/how-to/manage-version/) d ## Enabling a version -Enabling a version is the action of making the data contained within the version accessible for retrieval by authrized users and applications. This allows you to manage access to your data and control which versions are accessible, at any time. +Enabling a version is the action of making the data contained within the version accessible for retrieval by authorized users and applications. This allows you to manage access to your data and control which versions are accessible, at any time. Refer to the [How to manage a version](/secret-manager/how-to/manage-version/) documentation page for more information.