Skip to content

Commit

Permalink
backport of commit 7bdc25c
Browse files Browse the repository at this point in the history
  • Loading branch information
Dan-Heath committed Oct 14, 2024
1 parent 4228295 commit 6b2056f
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions website/content/docs/concepts/security/data-encryption.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ and the various DEKs (Data Encryption Keys) are created when a scope is created.
The DEKs are encrypted with the scope's `root` KEK, and this is in turn
encrypted with the KMS key marked for the `root` purpose.

You can configure `root` KMS keys for self-managed, Enterprise or Community edition deployments.
You can configure `root` KMS keys for self-managed Enterprise or Community edition deployments.

The current scoped DEKs and their purposes are detailed below:

Expand Down Expand Up @@ -122,7 +122,7 @@ the `previous-root` KMS key to your configuration informs the Controller to use
it for decrypting the existing information in the database, allowing you to
rotate and rewrap the KEKs to complete the migration to the new root key.

You can configure `previous-root` KMS keys for self-managed, Enterprise or Community edition deployments.
You can configure `previous-root` KMS keys for self-managed Enterprise or Community edition deployments.

## The `worker-auth` KMS key

Expand All @@ -132,6 +132,9 @@ found on the [Connections/TLS page](/boundary/docs/concepts/security/connections
a worker is registered with [worker-led or controller-led
methods](/boundary/docs/configuration/worker/worker-configuration) this is unnecessary.

You can configure `worker-auth` KMS keys for HCP, Enterprise, and Community edition deployments.
However, you cannot configure `worker-auth` keys for the first set of workers that connect to your HCP workers.

## The `recovery` KMS key

The `recovery` KMS key is used for rescue/recovery operations that can be used
Expand All @@ -144,7 +147,7 @@ cannot be replayed by an adversary, and also to ensure that each operation must
be individually authenticated by a client so that revoking access to the KMS has
an immediate result.

You can configure `recovery` KMS keys for self-managed, Enterprise or Community edition deployments.
You can configure `recovery` KMS keys for self-managed Enterprise or Community edition deployments.

<Note>

Expand Down Expand Up @@ -185,4 +188,4 @@ with access to that KMS can decrypt the values. Boundary will check for a
`config` KMS block on startup, and if it exists, will use it to decrypt any
encrypted values found at startup time.

You can configure `config` KMS keys for self-managed, Enterprise or Community edition deployments.
You can configure `config` KMS keys for self-managed Enterprise or Community edition deployments.

0 comments on commit 6b2056f

Please sign in to comment.