From: Jarkko Sakkinen <jarkko@kernel.org>
To: Martin Ross <mross@pobox.com>
Cc: corbet@lwn.net, dhowells@redhat.com, jejb@linux.ibm.com,
jmorris@namei.org, keyrings@vger.kernel.org,
linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, serge@hallyn.com,
Yael Tiomkin <yaelt@google.com>, Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH v4] KEYS: encrypted: Instantiate key with user-provided decrypted data
Date: Wed, 26 Jan 2022 16:51:29 +0200 [thread overview]
Message-ID: <YfFf8fvsDm8lQJgJ@iki.fi> (raw)
In-Reply-To: <YfFe9+XDPDIdSqF1@iki.fi>
On Wed, Jan 26, 2022 at 04:47:22PM +0200, Jarkko Sakkinen wrote:
> On Tue, Jan 18, 2022 at 01:26:05PM -0500, Martin Ross wrote:
> > Hi Jarkko,
> >
> > I have been working with Yael on this project so I thought I might add
> > a bit of background here around the use case that this series of
> > patches is trying to address.
> >
> > At a high level we are trying to provide users of encryption that have
> > key management hierarchies a better tradeoff between security and
> > availability. For available and performance reasons master keys often
> > need to be released (or derived/wrapped keys created) outside of a KMS
> > to clients (which may in turn further wrap those keys in a series of
> > levels). What we are trying to do is provide a mechanism where the
> > wrapping/unwrapping of these keys is not dependent on a remote call at
> > runtime. e.g. To unwrap a key if you are using AWS KMS or Google
> > Service you need to make an RPC. In practice to defend against
> > availability or performance issues, designers end up building their
> > own kms and effectively encrypting everything with a DEK. The DEK
> > encrypts same set as the master key thereby eliminating the security
> > benefit of keeping the master key segregated in the first place.
Mainly this part (would be enough to explain why it is there).
BR, Jarkko
next prev parent reply other threads:[~2022-01-26 14:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-18 18:26 [PATCH v4] KEYS: encrypted: Instantiate key with user-provided decrypted data Martin Ross
2022-01-26 14:47 ` Jarkko Sakkinen
2022-01-26 14:51 ` Jarkko Sakkinen [this message]
2022-01-26 20:56 ` Yael Tiomkin
2022-02-04 6:27 ` Jarkko Sakkinen
-- strict thread matches above, loose matches on Subject: below --
2021-12-29 21:53 Yael Tiomkin
2021-12-30 10:07 ` Sumit Garg
2021-12-30 13:29 ` Mimi Zohar
2022-01-03 6:51 ` Sumit Garg
2022-01-05 20:18 ` Yael Tiomkin
2022-01-07 5:14 ` Sumit Garg
2022-01-07 12:53 ` Yael Tiomkin
2022-01-07 13:32 ` Sumit Garg
2022-01-13 19:14 ` Yael Tiomkin
2022-01-18 6:46 ` Sumit Garg
2022-01-05 20:12 ` Jarkko Sakkinen
2022-01-06 18:30 ` Yael Tiomkin
2022-01-08 21:58 ` Jarkko Sakkinen
2022-01-10 16:04 ` Nayna
2022-01-13 19:01 ` Yael Tiomkin
2022-01-20 17:13 ` Nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YfFf8fvsDm8lQJgJ@iki.fi \
--to=jarkko@kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mross@pobox.com \
--cc=serge@hallyn.com \
--cc=yaelt@google.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).