AB#1943 Extract KMS package (#56)

* Extract kmsapi from coordinator

* Add kmsapi cmd server

cli/proto/client.go

@@ -6,9 +6,9 @@ import (
 	"io"
 
 	"github.com/edgelesssys/constellation/coordinator/atls"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/state"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"

coordinator/coordinator_test.go

@@ -12,7 +12,6 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/atls"
 	"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
 	"github.com/edgelesssys/constellation/coordinator/core"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
@@ -22,6 +21,7 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/util/testdialer"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

coordinator/core/core.go

@@ -12,7 +12,6 @@ import (
 	"github.com/edgelesssys/constellation/cli/file"
 	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
 	"github.com/edgelesssys/constellation/coordinator/config"
-	kmsSetup "github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/nodestate"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/state"
@@ -20,6 +19,7 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/storewrapper"
 	"github.com/edgelesssys/constellation/coordinator/util"
 	"github.com/edgelesssys/constellation/kms/kms"
+	kmsSetup "github.com/edgelesssys/constellation/kms/server/setup"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 )

coordinator/core/core_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/edgelesssys/constellation/cli/file"
 	"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
 	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/nodestate"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/role"
@@ -17,6 +16,7 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/store"
 	"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
 	"github.com/edgelesssys/constellation/coordinator/util/testdialer"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

coordinator/core/legacy_test.go

@@ -12,13 +12,13 @@ import (
 	"github.com/edgelesssys/constellation/cli/file"
 	"github.com/edgelesssys/constellation/coordinator/atls"
 	"github.com/edgelesssys/constellation/coordinator/attestation/simulator"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/pubapi"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

coordinator/core/reinitialize_test.go

@@ -7,12 +7,12 @@ import (
 
 	"github.com/edgelesssys/constellation/cli/file"
 	"github.com/edgelesssys/constellation/coordinator/atls"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
 	"github.com/edgelesssys/constellation/coordinator/util/testdialer"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

coordinator/pubapi/coord_test.go

@@ -12,7 +12,6 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/atls"
 	"github.com/edgelesssys/constellation/coordinator/attestation/vtpm"
 	"github.com/edgelesssys/constellation/coordinator/core"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/oid"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
@@ -20,6 +19,7 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/coordinator/util/grpcutil"
 	"github.com/edgelesssys/constellation/coordinator/util/testdialer"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/edgelesssys/constellation/state/keyservice/keyproto"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

coordinator/pubapi/core.go

@@ -3,10 +3,10 @@ package pubapi
 import (
 	"context"
 
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/state"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
 )
 

coordinator/pubapi/core_test.go

@@ -5,10 +5,10 @@ import (
 	"errors"
 	"net/netip"
 
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/state"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
 )
 

coordinator/storewrapper/storewrapper.go

@@ -8,10 +8,10 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/coordinator/store"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
 )
 

go.mod

@@ -103,6 +103,12 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require (
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/onsi/gomega v1.17.0 // indirect
+)
+
 require (
 	cloud.google.com/go v0.100.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.1 // indirect

go.sum

@@ -595,8 +595,9 @@ github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVB
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
 github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o=
@@ -1150,8 +1151,9 @@ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
@@ -1161,8 +1163,9 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
-github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
+github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=

internal/constants/constants.go

@@ -33,7 +33,8 @@ const (
 	//
 	// Cryptographic constants.
 	//
-	StateDiskKeyLength = 32
+	StateDiskKeyLength      = 32
+	DerivedKeyLengthDefault = 32
 
 	//
 	// CLI.
@@ -47,7 +48,7 @@ const (
 	//
 
 	// KubernetesVersion installed by kubeadm.
-	KubernetesVersion = "stable-1.23"
+	KubernetesVersion      = "stable-1.23"
 	KubernetesJoinTokenTTL = 15 * time.Minute
 )
 

kms/kms/cluster/cluster.go

@@ -1,4 +1,4 @@
-package kms
+package cluster
 
 import (
 	"context"

kms/kms/cluster/cluster_test.go

@@ -1,4 +1,4 @@
-package kms
+package cluster
 
 import (
 	"context"

kms/server/cmd/main.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net"
+
+	"github.com/edgelesssys/constellation/coordinator/util"
+	"github.com/edgelesssys/constellation/kms/server/kmsapi"
+	"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
+	"github.com/edgelesssys/constellation/kms/server/setup"
+	"go.uber.org/zap"
+
+	"google.golang.org/grpc"
+)
+
+func main() {
+	port := flag.String("p", "9000", "Port gRPC server listens on")
+	flag.Parse()
+
+	// TODO: Get masterSecret from Constellation CLI / after activation from cluster.
+	masterKey, err := util.GenerateRandomBytes(32)
+	if err != nil {
+		log.Fatalf("Failed to generate key: %v", err)
+	}
+
+	conKMS, err := setup.SetUpKMS(context.Background(), setup.NoStoreURI, setup.ClusterKMSURI)
+	if err != nil {
+		log.Fatalf("Failed to setup KMS: %v", err)
+	}
+
+	if err := conKMS.CreateKEK(context.Background(), "Constellation", masterKey); err != nil {
+		log.Fatalf("Failed to create KMS KEK from MasterKey: %v", err)
+	}
+
+	lis, err := net.Listen("tcp", net.JoinHostPort("0.0.0.0", *port))
+	if err != nil {
+		log.Fatalf("Failed to listen: %v", err)
+	}
+
+	srv := kmsapi.New(&zap.Logger{}, conKMS)
+
+	// TODO: Launch server with aTLS to allow attestation for clients.
+	grpcServer := grpc.NewServer()
+
+	kmsproto.RegisterAPIServer(grpcServer, srv)
+
+	if err := grpcServer.Serve(lis); err != nil {
+		log.Fatalf("Failed to serve: %s", err)
+	}
+}

kms/server/kmsapi/kmsapi.go

@@ -0,0 +1,46 @@
+// Package kmsapi implements an API to manage encryption keys.
+package kmsapi
+
+import (
+	"context"
+
+	"github.com/edgelesssys/constellation/kms/kms"
+	"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
+	"go.uber.org/zap"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// API resembles an encryption key management api server through logger, CloudKMS and proto-unimplemented server.
+type API struct {
+	logger *zap.Logger
+	conKMS kms.CloudKMS
+	kmsproto.UnimplementedAPIServer
+}
+
+// New creates a new API.
+func New(logger *zap.Logger, conKMS kms.CloudKMS) *API {
+	return &API{
+		logger: logger,
+		conKMS: conKMS,
+	}
+}
+
+// GetDataKey returns a data key.
+func (a *API) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) {
+	// Error on 0 key length
+	if in.Length == 0 {
+		return nil, status.Error(codes.InvalidArgument, "can't derive key with length zero")
+	}
+
+	// Error on empty DataKeyId
+	if in.DataKeyId == "" {
+		return nil, status.Error(codes.InvalidArgument, "no data key id specified")
+	}
+
+	key, err := a.conKMS.GetDEK(ctx, "Constellation", "key-"+in.DataKeyId, int(in.Length))
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "%v", err)
+	}
+	return &kmsproto.GetDataKeyResponse{DataKey: key}, nil
+}

kms/server/kmsapi/kmsapi_test.go

@@ -0,0 +1,58 @@
+package kmsapi
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap/zaptest"
+)
+
+func TestGetDataKey(t *testing.T) {
+	assert := assert.New(t)
+	require := require.New(t)
+
+	kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}}
+	api := New(zaptest.NewLogger(t), kms)
+
+	res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
+	require.NoError(err)
+	assert.Equal(kms.derivedKey, res.DataKey)
+
+	// Test no data key id
+	res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32})
+	require.Error(err)
+	assert.Nil(res)
+
+	// Test no / zero key length
+	res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"})
+	require.Error(err)
+	assert.Nil(res)
+
+	// Test derive key error
+	api = New(zaptest.NewLogger(t), &stubKMS{deriveKeyErr: errors.New("error")})
+	res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
+	assert.Error(err)
+	assert.Nil(res)
+}
+
+type stubKMS struct {
+	masterKey    []byte
+	derivedKey   []byte
+	deriveKeyErr error
+}
+
+func (c *stubKMS) CreateKEK(ctx context.Context, keyID string, kek []byte) error {
+	c.masterKey = kek
+	return nil
+}
+
+func (c *stubKMS) GetDEK(ctx context.Context, kekID string, dekID string, dekSize int) ([]byte, error) {
+	if c.deriveKeyErr != nil {
+		return nil, c.deriveKeyErr
+	}
+	return c.derivedKey, nil
+}

kms/server/kmsapi/kmsproto/kmsapi.pb.go

@@ -0,0 +1,226 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0-devel
+// 	protoc        v3.14.0
+// source: kmsproto/kmsapi.proto
+
+package kmsproto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type GetDataKeyRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"`
+	Length    uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"`
+}
+
+func (x *GetDataKeyRequest) Reset() {
+	*x = GetDataKeyRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kmsproto_kmsapi_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetDataKeyRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetDataKeyRequest) ProtoMessage() {}
+
+func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_kmsproto_kmsapi_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead.
+func (*GetDataKeyRequest) Descriptor() ([]byte, []int) {
+	return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GetDataKeyRequest) GetDataKeyId() string {
+	if x != nil {
+		return x.DataKeyId
+	}
+	return ""
+}
+
+func (x *GetDataKeyRequest) GetLength() uint32 {
+	if x != nil {
+		return x.Length
+	}
+	return 0
+}
+
+type GetDataKeyResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"`
+}
+
+func (x *GetDataKeyResponse) Reset() {
+	*x = GetDataKeyResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kmsproto_kmsapi_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetDataKeyResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetDataKeyResponse) ProtoMessage() {}
+
+func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_kmsproto_kmsapi_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead.
+func (*GetDataKeyResponse) Descriptor() ([]byte, []int) {
+	return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GetDataKeyResponse) GetDataKey() []byte {
+	if x != nil {
+		return x.DataKey
+	}
+	return nil
+}
+
+var File_kmsproto_kmsapi_proto protoreflect.FileDescriptor
+
+var file_kmsproto_kmsapi_proto_rawDesc = []byte{
+	0x0a, 0x15, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x61, 0x70,
+	0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x22,
+	0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79,
+	0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b,
+	0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12,
+	0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x4a, 0x0a,
+	0x03, 0x41, 0x50, 0x49, 0x12, 0x43, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b,
+	0x65, 0x79, 0x12, 0x19, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44,
+	0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e,
+	0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73,
+	0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x2f, 0x6b, 0x6d, 0x73, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x6b, 0x6d, 0x73,
+	0x61, 0x70, 0x69, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_kmsproto_kmsapi_proto_rawDescOnce sync.Once
+	file_kmsproto_kmsapi_proto_rawDescData = file_kmsproto_kmsapi_proto_rawDesc
+)
+
+func file_kmsproto_kmsapi_proto_rawDescGZIP() []byte {
+	file_kmsproto_kmsapi_proto_rawDescOnce.Do(func() {
+		file_kmsproto_kmsapi_proto_rawDescData = protoimpl.X.CompressGZIP(file_kmsproto_kmsapi_proto_rawDescData)
+	})
+	return file_kmsproto_kmsapi_proto_rawDescData
+}
+
+var file_kmsproto_kmsapi_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_kmsproto_kmsapi_proto_goTypes = []interface{}{
+	(*GetDataKeyRequest)(nil),  // 0: pubapi.GetDataKeyRequest
+	(*GetDataKeyResponse)(nil), // 1: pubapi.GetDataKeyResponse
+}
+var file_kmsproto_kmsapi_proto_depIdxs = []int32{
+	0, // 0: pubapi.API.GetDataKey:input_type -> pubapi.GetDataKeyRequest
+	1, // 1: pubapi.API.GetDataKey:output_type -> pubapi.GetDataKeyResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_kmsproto_kmsapi_proto_init() }
+func file_kmsproto_kmsapi_proto_init() {
+	if File_kmsproto_kmsapi_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_kmsproto_kmsapi_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetDataKeyRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kmsproto_kmsapi_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetDataKeyResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_kmsproto_kmsapi_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_kmsproto_kmsapi_proto_goTypes,
+		DependencyIndexes: file_kmsproto_kmsapi_proto_depIdxs,
+		MessageInfos:      file_kmsproto_kmsapi_proto_msgTypes,
+	}.Build()
+	File_kmsproto_kmsapi_proto = out.File
+	file_kmsproto_kmsapi_proto_rawDesc = nil
+	file_kmsproto_kmsapi_proto_goTypes = nil
+	file_kmsproto_kmsapi_proto_depIdxs = nil
+}

kms/server/kmsapi/kmsproto/kmsapi.proto

@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package kmsapi;
+
+option go_package = "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto";
+
+service API {
+    rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse);
+}
+
+message GetDataKeyRequest {
+    string data_key_id = 1;
+    uint32 length = 2;
+}
+
+message GetDataKeyResponse {
+    bytes data_key = 1;
+}

kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go

@@ -0,0 +1,101 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package kmsproto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// APIClient is the client API for API service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type APIClient interface {
+	GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error)
+}
+
+type aPIClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewAPIClient(cc grpc.ClientConnInterface) APIClient {
+	return &aPIClient{cc}
+}
+
+func (c *aPIClient) GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error) {
+	out := new(GetDataKeyResponse)
+	err := c.cc.Invoke(ctx, "/pubapi.API/GetDataKey", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// APIServer is the server API for API service.
+// All implementations must embed UnimplementedAPIServer
+// for forward compatibility
+type APIServer interface {
+	GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error)
+	mustEmbedUnimplementedAPIServer()
+}
+
+// UnimplementedAPIServer must be embedded to have forward compatible implementations.
+type UnimplementedAPIServer struct {
+}
+
+func (UnimplementedAPIServer) GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetDataKey not implemented")
+}
+func (UnimplementedAPIServer) mustEmbedUnimplementedAPIServer() {}
+
+// UnsafeAPIServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to APIServer will
+// result in compilation errors.
+type UnsafeAPIServer interface {
+	mustEmbedUnimplementedAPIServer()
+}
+
+func RegisterAPIServer(s grpc.ServiceRegistrar, srv APIServer) {
+	s.RegisterService(&API_ServiceDesc, srv)
+}
+
+func _API_GetDataKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetDataKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(APIServer).GetDataKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/pubapi.API/GetDataKey",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(APIServer).GetDataKey(ctx, req.(*GetDataKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// API_ServiceDesc is the grpc.ServiceDesc for API service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var API_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "pubapi.API",
+	HandlerType: (*APIServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetDataKey",
+			Handler:    _API_GetDataKey_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "kmsproto/kmsapi.proto",
+}

kms/server/setup/setup.go

@@ -1,4 +1,4 @@
-package kms
+package setup
 
 import (
 	"context"
@@ -9,6 +9,7 @@ import (
 	"github.com/edgelesssys/constellation/kms/kms"
 	"github.com/edgelesssys/constellation/kms/kms/aws"
 	"github.com/edgelesssys/constellation/kms/kms/azure"
+	"github.com/edgelesssys/constellation/kms/kms/cluster"
 	"github.com/edgelesssys/constellation/kms/kms/gcp"
 	"github.com/edgelesssys/constellation/kms/storage"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
@@ -122,7 +123,7 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS
 		return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl))
 
 	case "cluster-kms":
-		return &ClusterKMS{}, nil
+		return &cluster.ClusterKMS{}, nil
 
 	default:
 		return nil, fmt.Errorf("unknown KMS type: %s", uri.Host)

kms/server/setup/setup_test.go

@@ -1,4 +1,4 @@
-package kms
+package setup
 
 import (
 	"context"

proto/Dockerfile.gen-proto

@@ -44,9 +44,15 @@ WORKDIR /service
 COPY debugd/service/*.proto /service
 RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
 
+## key management
+WORKDIR /kms
+COPY kms/server/kmsapi/kmsproto/*.proto /kms
+RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
+
 
 FROM scratch as export
 COPY --from=build /pubapi/*.go coordinator/pubapi/pubproto/
 COPY --from=build /vpnapi/*.go coordinator/vpnapi/vpnproto/
 COPY --from=build /disk-mapper/*.go state/keyservice/keyproto/
 COPY --from=build /service/*.go debugd/service/
+COPY --from=build /kms/*.go kms/server/kmsproto/

test/coordinator_integration_test.go

@@ -23,11 +23,11 @@ import (
 	"github.com/docker/go-connections/nat"
 	"github.com/edgelesssys/constellation/coordinator/atls"
 	"github.com/edgelesssys/constellation/coordinator/core"
-	"github.com/edgelesssys/constellation/coordinator/kms"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/store"
 	"github.com/edgelesssys/constellation/coordinator/storewrapper"
+	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"