diff --git a/macros/key-manager/plaintext-vs-ciphertext.mdx b/macros/key-manager/plaintext-vs-ciphertext.mdx index 927a2618bf..bb90d833c6 100644 --- a/macros/key-manager/plaintext-vs-ciphertext.mdx +++ b/macros/key-manager/plaintext-vs-ciphertext.mdx @@ -2,12 +2,10 @@ macro: key-manager-plaintext-vs-ciphertext --- - - ## What is the difference between ciphertext and plaintext? - **Ciphertext** refers to data that has been encrypted using a cryptographic algorithm and a key. - Ciphertext can be encrypted on the client side as long as the encryption key used for encryption is safely stored (in a Key Manager, for example). - Unlike plaintext, ciphertext is not human-readable and cannot be understood or used without first decrypting it with the appropriate decryption key. + + ### What is the difference between ciphertext and plaintext? - **Plaintext** refers to unencrypted, readable data. In the context of key management, plaintext often refers to cryptographic keys or sensitive data that are stored or transmitted in an unencrypted form. This term is often used in contrast to ciphertext, which is data that has been encrypted and is not readable without decryption. - + [Ciphertext](/key-manager/concepts/#ciphertext) refers to data that has been encrypted using a cryptographic algorithm and a key. + [Plaintext](/key-manager/concepts/#plaintext) refers to unencrypted, readable data. + diff --git a/pages/key-manager/api-cli/sign-verify-key-with-go-sdk.mdx b/pages/key-manager/api-cli/sign-verify-key-with-go-sdk.mdx index c4011f5961..5e98184e5d 100644 --- a/pages/key-manager/api-cli/sign-verify-key-with-go-sdk.mdx +++ b/pages/key-manager/api-cli/sign-verify-key-with-go-sdk.mdx @@ -3,7 +3,7 @@ title: Managing signatures using the Scaleway Go SDK and Key Manager description: Learn how to create and validate signatures using Key Manager with the Scaleway Go SDK. tags: key sensitive-data signature verification sign verify digest dates: - validation: 2025-05-27 + validation: 2025-09-15 posted: 2025-05-27 --- @@ -25,56 +25,56 @@ Open a terminal and paste the following commands to export your environment vari ## Creating a signature -```golang -// signAsymmetric signs a plaintext message using a saved asymmetric private key 'ec_p256_sha256' -// stored in Key Manager. -// -// Parameters: -// - keyID: The unique identifier of the asymmetric key stored in Key Manager. -// - message: The plaintext message that needs to be signed. -// -// Returns: -// - err: An error if the signing process fails, otherwise nil. -func signAsymmetric(keyID string, message string) error { - // Initialize the Scaleway client - client, err := scw.NewClient(scw.WithEnv()) - if err != nil { - panic(err) +```go + // signAsymmetric signs a plaintext message using a saved asymmetric private key 'ec_p256_sha256' + // stored in Key Manager. + // + // Parameters: + // - keyID: The unique identifier of the asymmetric key stored in Key Manager. + // - message: The plaintext message that needs to be signed. + // + // Returns: + // - err: An error if the signing process fails, otherwise nil. + func signAsymmetric(keyID string, message string) error { + // Initialize the Scaleway client + client, err := scw.NewClient(scw.WithEnv()) + if err != nil { + panic(err) + } + kmsApi := key_manager.NewAPI(client) + + // Convert the message into bytes. Cryptographic plaintexts and ciphertexts are always byte arrays. + plaintext := []byte(message) + + // Calculate the digest of the message. + // Note: Digest algorithm must match the key algorithm. + // - Use SHA-256 for most algorithms (e.g., RSA_OAEP_3072_SHA256, EC_P256_SHA256). + // - Use SHA-384 **only** for ECC_P384_SHA384. + digest := sha256.New() + if _, err = digest.Write(plaintext); err != nil { + return fmt.Errorf("failed to create digest: %w", err) + } + + // Build the signing request. + req := &key_manager.SignRequest{ + Digest: digest.Sum(nil), + KeyID: keyID, + } + + // Call the API + response, err = kmsApi.Sign(req) + if err != nil { + return fmt.Errorf("failed to sign digest: %w", err) + } + + fmt.Printf("Signed digest: %s", response.Signature) + return nil } - kmsApi := key_manager.NewAPI(client) - - // Convert the message into bytes. Cryptographic plaintexts and ciphertexts are always byte arrays. - plaintext := []byte(message) - - // Calculate the digest of the message. - // Note: Digest algorithm must match the key algorithm. - // - Use SHA-256 for most algorithms (e.g., RSA_OAEP_3072_SHA256, EC_P256_SHA256). - // - Use SHA-384 **only** for ECC_P384_SHA384. - digest := sha256.New() - if _, err = digest.Write(plaintext); err != nil { - return fmt.Errorf("failed to create digest: %w", err) - } - - // Build the signing request. - req := &key_manager.SignRequest{ - Digest: digest.Sum(nil), - KeyID: keyID, - } - - // Call the API - response, err = kmsApi.Sign(req) - if err != nil { - return fmt.Errorf("failed to sign digest: %w", err) - } - - fmt.Printf("Signed digest: %s", response.Signature) - return nil -} ``` ## Validating the signature -```golang +```go // verifyAsymmetricSignature verifies that an 'ec_p256_sha256' signature is valid for a given message. // // Parameters: diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 2ad5b1a154..91a76810e8 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -3,7 +3,7 @@ title: Understanding Key Manager cryptography description: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations. tags: key-manager security dates: - validation: 2025-05-23 + validation: 2025-09-15 posted: 2025-05-23 --- @@ -53,7 +53,7 @@ To reduce the risk of key overuse, plaintext payloads are limited to a maximum s Scaleway provides Tink integrations for Go and Python, which is the preferred integration method. - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) - - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) + - [Tink Go integration](https://github.com/scaleway/tink-go-scwkms) ### Asymmetric encryption