External secrets - Fortanix SDKMS support #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zugzwang
commented
May 18, 2021
Add the openpgp::crypto::secrets module that allows selection between in-memory keys and keys stored externally. The Secret enum can be either a KeyPair or an external agent, both implementing the Signer and Decryptor traits. The openpgp::crypto::sdkms module implements a Secret for keys stored in the Fortanix SDKMS, and reachable through the API. Also, allow `sq` to select SDKMS keys for operations (commands key generate, key extract-cert, sign, decrypt, encrypt --signer-cert).
Use the http_proxy and no_proxy conventions, i.e., the proxy is determined by the http_proxy env variable, and is used only if the API endpoint is not excluded by the no_proxy variable.
raoulstrackx
approved these changes
May 28, 2021
zugzwang
added a commit
that referenced
this pull request
Dec 22, 2021
* External secrets - Fortanix SDKMS support Add the openpgp::crypto::secrets module that allows selection between in-memory keys and keys stored externally. The Secret enum can be either a KeyPair or an external agent, both implementing the Signer and Decryptor traits. The openpgp::crypto::sdkms module implements a Secret for keys stored in the Fortanix SDKMS, and reachable through the API. Also, allow `sq` to select SDKMS keys for operations (commands key generate, key extract-cert, sign, decrypt, encrypt --signer-cert). * Update README * Proxy support (http_proxy and no_proxy env vars) Use the http_proxy and no_proxy conventions, i.e., the proxy is determined by the http_proxy env variable, and is used only if the API endpoint is not excluded by the no_proxy variable. * Address reviewer comments (part I) * Shadow unnecessary variables * openpgp-sdkms crate, and Secret enum in sq/ * Fix shell warnings (sq/tests/sdkms.sh) * Don't require no_proxy when using http_proxy * Abstract over in-memory and SDKMS secrets * openpgp-sdkms: RustFmt (and .rustfmt.toml) * Store custom metadata in JSON format * Split parameters in function signatures * Remove version from JSON
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the openpgp::crypto::secrets module that allows selection between
in-memory keys and keys stored externally. The Secret enum can be either
a KeyPair or an external agent, both implementing the Signer and
Decryptor traits.
The openpgp_sdkms crate implements a Secret variant for keys
stored inside Fortanix SDKMS, and reachable through the API.
Also, allow
sqto select SDKMS keys for operations (commands keygenerate, key extract-cert, sign, decrypt, encrypt --signer-cert).