Bug #48746
closedSSE-KMS vault transit: use transit correctly.
0%
Description
The existing logic in rgw to use hashicorp vault transit encoding
does not make good use of the transit feature. It should be
encrypting locally stored secrets. Instead it's being used
as a simple key store.
In addition, aws s3 defines a "x-amz-server-side-encryption-context"
that contains data that should perturb the datakey calculation,
and hashcorp vault transit encoding includes a context parameter
that serves the very same purpose. This attribute should be
implemented and given to vault.
Updated by Marcus Watts over 3 years ago
I have a fix in progress for this contained within this set of commits.
https://github.com/ceph/ceph/pull/38605
Updated by Casey Bodley over 3 years ago
- Status changed from New to Fix Under Review
Updated by Casey Bodley about 3 years ago
- Status changed from Fix Under Review to Pending Backport
- Tags set to sse vault
- Backport set to pacific
Updated by Backport Bot about 3 years ago
- Copied to Backport #49746: pacific: SSE-KMS vault transit: use transit correctly. added
Updated by Loïc Dachary over 2 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".