provide blank sample access_keys.csv

2024-02-24 11:21:25 -08:00 · 2024-02-24 11:21:25 -08:00 · e5146c17ad
commit e5146c17ad
parent 87ac512dd4
1 changed files with 21 additions and 0 deletions
--- a/access_keys.csv
+++ b/access_keys.csv
@ -0,0 +1,21 @@
+# This file should be used sparingly. We should probably have a mechanism
+# built in to decrypt it with PKCS#11 or something, because it's the keys
+# to everything (this file -> database metadata -> table level keys).
+#
+# Normal operation is to allow LocalDb to get Account ID from LocalIAM
+# (actually I think this is LocalSTS) with Account ID in hand, LocalDb will
+# retrieve (or generate/retrieve) the encryption key from LocalDb
+#
+# This is, of course, a recursive operation, so at some point we need the base
+# case, which is a key that's not stored in the database (or the source code)
+#
+# That...is the purpose of this file. The existing/new is intended to enable
+# key rotations. This system uses envelope encryption, so table data is
+# encrypted with a key that is stored in the ddbLocal metadata table. On
+# request for rotation, the table metadata will use the existing encoded
+# encryption key to read, then re-encrypt the metadata with the new encoded
+# encryption key. Key rotation, however, remains a TODO in the code
+#
+# To generate a line for this file, use `zig build generate_credentials`
+#
+# Access Key,Secret key,Account Id,Existing encoded encryption key, New encoded encryption key