-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting support for HSM Unseal method #300
Comments
I think #16 is a duplicate of this. It would be good to decide if we want to keep with the structure of go-kms-wrapping or if we'd like to simplify it in some way? |
We would be able to contribute/participate and have experience in the area. Maybe structuring around a more extensible architecture that allows for plugins would be very good. |
@jleni Yes, a plugin architecture is what PKCS#11 bindings would effectively let you achieve. The IMO, if we wish to keep just auto-unseal (and not seal wrapping or managed keys), we could revisit our decision to use The one thing I think I saw was that Azure KeyVault (their KMS offering) lacks PKCS#11 bindings of any sort (as does Transit), whereas most other KMS providers have PKCS#11 bindings... So maybe a Go pkcs#11 library would be nice, to eventually build Azure and Transit bindings without the need to put those SDKs in the main binary (like we do now).... Some Saturday thoughts. :-) But if you're willing, I might suggest spending some time looking at g-k-w and deciding what you think about keeping it versus replacing it. I'd take a careful look at the interfaces that exist presently, perhaps consider the ability to do key mobility/wrapping, and also at the extensibility of the protobuf files and make a determination there. |
Hi @cipherboy, Could you be more explicit about the changes that you have in mind concerning the go-kms-wrapping interface ? Which are, in your opinion, the main drawbacks of the current g-k-w? Many thanks! |
@DanGhita Hmmm... I think there's a few angles I can immediately articulate:
My 2c., but I think, given we only use it for auto-unseal today, perhaps it is scoped nicely enough that we could restructure to avoid using g-k-w, and build our own multi-provider encryption library, even if it does import SDKs, with nicer interfaces and better separations of concerns. Let me know if these thoughts are coherent this morning :-D |
Hi @cipherboy, I would be interested at taking a crack at implementing PKCS#11 support for OpenBao, but I'm still new enough to programming and crypto in particular that I will probably need some guidance. Just to be clear on the scope, the goal would be to implement more or less the Enterprise Vault design for pkcs11 unsealing, right? I've taken a look at those docs and at this pcks11 library by Google and can more or less get a vision of how I would use the latter to implement the former. I actually haven't taken a look at the OpenBao code though, so if you could 1) confirm that the design goal and library I've chosen are more or less correct and 2) point me in the right direction in the OpenBao codebase where I would implement this functionality, then I'll get to work and see what I can do. |
Hello @IohannesArnold! Great to hear. Give me a couple of weeks and I think I can put together two different proposals for how this can be implemented. With no offense to anyone at Google, that library looks a little immature and progress seems to have stalled. I've used https://github.com/miekg/pkcs11 and I'd suggest starting with PKCS11v3 support so we can adopt PQC algorithms more easily. The two approaches at a high level are the much simpler "add this library to go-kms-wrapping" and the more complex "replace go-kms-wrapping entirely with something more purpose built and direct". You should find g-k-w forked under the org's namespace as discussed above. Let me know your thoughts! |
Hi all, IMHO, this topic could be summarized as following: how deep do we want to integrate a KMS into the Vault ? In other words, the current "go-kms-wrapping" is a very basic cryptographic interface (Encrypt/Decrypt). Instead of that, the idea would be to define a more powerful crypto API to be used internally by the Vault. And indeed, this new crypto interface (a kind of gkw V2) should (probably) be as close as possible to PKCS#11. |
Yes, that's definitely a direction I see. Many of the issues with e.g., multi-unseal could be solved by making Vault only single-seal aware, but making a backend library handle the strategy of 2+ encryption backends. This breaks down only at the boundary between automation types (auto HSM/KMS vs manual Shamir's) and is otherwise much simpler. I've not put as much thought into it as I'd like, to be confident in the solution. The issue with Google's PKCS#11 library is that it isn't very complete and is likely very specialized to their particular use case. We'd preferably want broader PKCS#11 support and more flexibility to do, e.g., symmetric encryption which AFAICT is missing completely. My 2c. (g-k-w v2 already exists and is iirc what we're using as of this release, so it'd be more like a v3 API, if we keep that library name at all). |
I saw the other pkcs11 library and did note it looked more feature-complete; I just wasn't sure whether, in a security-focused application like this, using a third-party lib from what looks like an individual maintainer is too much of a risk. But if you think that it's okay to use, then I'll use miekg's lib. I've taken a look at "go-kms-wrapping" and I think I could take a shot at adding a pkcs11 wrapper just like the others in the library. The other proposal of totally refactoring the seal design sounds beyond me though; this is a new codebase to me and I don't think I'd have the familiarity to do that. |
Thanks @IohannesArnold! If you want to take a stab at it in g-k-w, it might be valuable to have anyways. I've used that library in the past and I think it's used by several other security critical projects. The maintainer is usually fairly responsive and keeps making larger changes (adding pkcs#11 v3.0 support fairly recently). |
Is your feature request related to a problem? Please describe.
Yes, this feature request is related to a problem. Currently, OpenBao does not support integration with Hardware Security Modules (HSM), a critical feature for enhancing security in sensitive environments. Many organizations, especially in sectors like finance and government, require HSM integration to meet compliance standards for cryptographic operations. This feature will enable OpenBao to automatically unseal using secure hardware, reduce operational complexity, and ensure that cryptographic keys are protected according to industry standards such as FIPS 140-2.
Describe the solution you'd like
I would like OpenBao to implement HSM integration to support automatic unsealing and enhanced security for encrypted data. This solution should include seamless setup and configuration for HSM devices that adhere to industry standards like FIPS 140-2. The integration should feature detailed documentation and command-line tools to facilitate easy and secure key management operations. Additionally, implementing the Seal Wrap feature will provide an additional layer of security, ensuring sensitive data is wrapped with an extra cryptographic barrier. This integration will make OpenBao a more robust tool for enterprises requiring high security standards.
Describe alternatives you've considered
As an alternative to integrating HSM support directly into OpenBao, we considered using software-based encryption keys with enhanced security measures. However in a private environment (non-cloud), the most securely viable is an HSM integration. Additionally, using HashiCorp Vault Enterprise was explored; however, it does not meet our cost constraints, making it less feasible for our project's budget. These alternatives, while potentially viable, do not fully meet the stringent compliance and security requirements that direct HSM integration would achieve.
Explain any additional use-cases
Adding HSM integration to OpenBao would also cater to use cases involving high-security applications, such as in government, healthcare, and banking sectors, where regulatory compliance demands hardware-level protection of encryption keys. I feel though an enterprise feature, this is a top priority item to implement as it will enable the adoption of OpenBao project in all environments.
Additional context
Integrating HSM with OpenBao aligns with industry best practices for security, particularly in sectors dealing with sensitive information. This feature would not only enhance the platform's attractiveness to prospective enterprise users but also leverage existing community expertise in HSM technologies to foster collaboration and innovation. By providing detailed documentation and examples, the adoption of this feature can be streamlined, encouraging widespread use and contributing to the robustness of OpenBao's security capabilities.
The text was updated successfully, but these errors were encountered: