lobo/ddblocal
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

provide blank sample access_keys.csv

Browse source
This commit is contained in:
Emil Lerch 2024-02-24 11:21:25 -08:00
parent 87ac512dd4
commit e5146c17ad
Signed by: lobo
GPG key ID: A7B62D657EF764F8
1 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
access_keys.csv Normal file
View file

@ -0,0 +1,21 @@
# This file should be used sparingly. We should probably have a mechanism
# built in to decrypt it with PKCS#11 or something, because it's the keys
# to everything (this file -> database metadata -> table level keys).
#
# Normal operation is to allow LocalDb to get Account ID from LocalIAM
# (actually I think this is LocalSTS) with Account ID in hand, LocalDb will
# retrieve (or generate/retrieve) the encryption key from LocalDb
#
# This is, of course, a recursive operation, so at some point we need the base
# case, which is a key that's not stored in the database (or the source code)
#
# That...is the purpose of this file. The existing/new is intended to enable
# key rotations. This system uses envelope encryption, so table data is
# encrypted with a key that is stored in the ddbLocal metadata table. On
# request for rotation, the table metadata will use the existing encoded
# encryption key to read, then re-encrypt the metadata with the new encoded
# encryption key. Key rotation, however, remains a TODO in the code
#
# To generate a line for this file, use `zig build generate_credentials`
#
# Access Key,Secret key,Account Id,Existing encoded encryption key, New encoded encryption key
1 # This file should be used sparingly. We should probably have a mechanism
2 # built in to decrypt it with PKCS#11 or something, because it's the keys
3 # to everything (this file -> database metadata -> table level keys).
4 #
5 # Normal operation is to allow LocalDb to get Account ID from LocalIAM
6 # (actually I think this is LocalSTS) with Account ID in hand, LocalDb will
7 # retrieve (or generate/retrieve) the encryption key from LocalDb
8 #
9 # This is, of course, a recursive operation, so at some point we need the base
10 # case, which is a key that's not stored in the database (or the source code)
11 #
12 # That...is the purpose of this file. The existing/new is intended to enable
13 # key rotations. This system uses envelope encryption, so table data is
14 # encrypted with a key that is stored in the ddbLocal metadata table. On
15 # request for rotation, the table metadata will use the existing encoded
16 # encryption key to read, then re-encrypt the metadata with the new encoded
17 # encryption key. Key rotation, however, remains a TODO in the code
18 #
19 # To generate a line for this file, use `zig build generate_credentials`
20 #
21 # Access Key,Secret key,Account Id,Existing encoded encryption key, New encoded encryption key