mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
690b50b29d
* Remove unused package * Add Go package docs to most packages Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Fabian Kammel <fk@edgeless.systems> Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Fabian Kammel <fk@edgeless.systems>
19 lines
982 B
Markdown
19 lines
982 B
Markdown
# KeyService
|
|
|
|
The KeyService is one of Constellation's Kubernetes components, responsible for distributing keys and secrets to other services.
|
|
This includes the JoinService, which contacts the KeyService to derive state disk keys and measurement secrets for newly-joining, and rejoining nodes,
|
|
and Constellation's CSI drivers, which contact the KeyService for disk encryption keys.
|
|
|
|
The service is not exposed outside the cluster, and should be kept for internal usage only.
|
|
|
|
## gRPC API
|
|
|
|
Keys can be requested through simple gRPC API based on an ID and key length.
|
|
|
|
## Backends
|
|
|
|
The KeyService supports multiple backends to store keys and manage crypto operations.
|
|
The default option holds a master secret in memory. Keys are derived on demand from this secret, and not stored anywhere.
|
|
Other backends make use of external Key Management Systems (KMS) for key derivation and securing a master secret.
|
|
When using an external KMS backend, encrypted keys are stored in cloud buckets.
|