diff --git a/rfc/external-kms.md b/rfc/external-kms.md index 9ac3bebfb..8c826659e 100644 --- a/rfc/external-kms.md +++ b/rfc/external-kms.md @@ -43,7 +43,7 @@ After successful attestation the CLI will provide a disk decryption key and meas The measurement secret, together with a measurement salt (not secret) is used to derive the clusterID. *Changes for eKMS; regarding disk decryption:* -* Recovery server accepts one KMS URI and one storage URI instead of a masterSecret. +* Recovery server accepts KMS URI, storage URI and kms/storage IAM secret instead of a masterSecret. During normal operation the KMS service has access to the IAM secrets through a mounted k8s secret. This secret is not available during initramfs. * For eKMS backends the two URIs can be used directly to request new DEKs. * For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=`.