Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

rfc: mention required iam secrets for recovery

Browse Source
This commit is contained in:
Otto Bittner 2023-01-11 09:34:32 +01:00
parent e9da70fde9
commit b89a30130f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rfc/external-kms.md
View File

@ -43,7 +43,7 @@ After successful attestation the CLI will provide a disk decryption key and meas
The measurement secret, together with a measurement salt (not secret) is used to derive the clusterID.
*Changes for eKMS; regarding disk decryption:*
* Recovery server accepts one KMS URI and one storage URI instead of a masterSecret.
* Recovery server accepts KMS URI, storage URI and kms/storage IAM secret instead of a masterSecret. During normal operation the KMS service has access to the IAM secrets through a mounted k8s secret. This secret is not available during initramfs.
* For eKMS backends the two URIs can be used directly to request new DEKs.
* For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`.