diff options
author | kste <kste@google.com> | 2023-07-17 02:02:35 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-07-17 02:04:07 -0700 |
commit | aaae5a94f0b96ee90ca82231efc7e0d6b70cb94d (patch) | |
tree | 89f561d17ae92e681911473ab01a79ebc176b49d | |
parent | c9295808fe1078a0320ba7a0daf8aad8890183ab (diff) | |
download | tink-aaae5a94f0b96ee90ca82231efc7e0d6b70cb94d.tar.gz |
Update key management documentation to point to developer site.
PiperOrigin-RevId: 548620880
-rw-r--r-- | docs/KEY-MANAGEMENT.md | 132 |
1 files changed, 4 insertions, 128 deletions
diff --git a/docs/KEY-MANAGEMENT.md b/docs/KEY-MANAGEMENT.md index 1d08d1c49..11750dd71 100644 --- a/docs/KEY-MANAGEMENT.md +++ b/docs/KEY-MANAGEMENT.md @@ -1,130 +1,6 @@ # Key Management with Tink -In addition to cryptographic operations Tink provides support for key management -features like key versioning, key rotation, and storing keysets or encrypting -with master keys in remote key management systems (KMS). To get a quick -overview of Tink design, incl. key management features, you can also take a look -at [slides](Tink-a_cryptographic_library--RealWorldCrypto2019.pdf) from [a talk -about Tink](https://www.youtube.com/watch?v=pqev9r3rUJs&t=9665) presented at -[Real World Crypto 2019](https://rwc.iacr.org/2019/). - -[Tinkey](TINKEY.md) is a command-line tool that allows managing Tink's key -material. Tink also provides a rich key management API (e.g., see -[KeysetManager](https://github.com/google/tink/blob/master/java_src/src/main/java/com/google/crypto/tink/KeysetManager.java)). - -## Key, Keyset, and KeysetHandle - -Tink performs cryptographic tasks via so-called [primitives](PRIMITIVES.md), -each of which is defined via a corresponding interface that specifies the -functionality of the primitive. - -A particular implementation of a _primitive_ is identified by a cryptographic -**key** structure that contains all key material and parameters needed to -provide the functionality of the primitive. The key structure is a _protocol -buffer_, whose globally unique name (a.k.a. _type url_) is referred to as **key -type**, and is used as an identifier of the corresponding implementation of a -primitive. Any particular implementation comes in a form of a **KeyManager** -which “understands” the key type: the manager can instantiate the primitive -corresponding to a given key, or can generate new keys of the supported key -type. - -To take advantage of key rotation and other key management features, a Tink user -works usually not with single keys, but with **keysets**, which are just sets of -keys with some additional parameters and metadata. In particular, this extra -information in the keyset determines which key is _primary_ (i.e. will be used -to create new cryptographic data like ciphertexts, or signatures), which keys -are _enabled_ (i.e. can be used to process existing cryptographic data, like -decrypt ciphertext or verify signatures), and which keys should not be used any -more. For more details about the structure of keys, keysets and related protocol -buffers see -[tink.proto](https://github.com/google/tink/blob/master/proto/tink.proto). - -The keys in a keyset can belong to _different implementations/key types_, but -must all implement the _same primitive_. Any given keyset (and any given key) -can be used for one primitive only. Moreover, to protect from accidental leakage -or corruption, an Tink user doesn’t work _directly_ with keysets, but rather -with **KeysetHandle** objects, which form a wrapper around the keysets. Creation -of KeysetHandle objects can be restricted to specific factories (whose -visibility can be governed by a white list), to enable control over actual -storage of the keys and keysets, and so avoid accidental leakage of secret key -material. - -## Key Management Systems - -Tink/Tinkey can encrypt or decrypt keysets with master keys residing in remote -KMSes. Currently, the following KMSes are supported: - -- [Google Cloud KMS](https://cloud.google.com/kms/) -- [AWS KMS](https://aws.amazon.com/kms/) -- [Android Keystore](https://developer.android.com/training/articles/keystore) - -On iOS, Tink can also directly load or store keysets in -[iOS KeyChain](https://developer.apple.com/documentation/security/keychain_services). - -You can easily add support for in-house key management systems, without having -to change anything in Tink/Tinkey. For example, when Tink/Tinkey is deployed at -Google, it supports encrypting keysets with master keys stored in our internal -key management system. - -To encrypt Tink's key material with master keys in KMSes, you first create a -master key in the KMS and tell Tink/Tinkey where the master key is by providing -a master key URI. - -KMS | Format of master key URIs ----------------- | ---------------------------------------------------------- -AWS KMS | `aws-kms://arn:aws:kms:<region>:<account-id>:key/<key-id>` -GCP KMS | `gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*` -Android Keystore | `android-keystore://*` - -Every master key URI starts with a unique prefix that identifies its KMS. The -prefix for AWS KMS is `aws-kms://`, Google Cloud KMS `gcp-kms://`, and Android -Keystore `android-keystore://`. - -To create master keys: - -- In Google Cloud KMS: https://cloud.google.com/kms/docs/quickstart. - -- In Amazon KMS: - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html. - -- In Android Keystore: - https://developer.android.com/training/articles/keystore.html. - -### Credentials - -Tink/Tinkey needs credentials to connect to AWS KMS or Google Cloud KMS. Google -Cloud credentials are service account JSON files that can be created and -downloaded from Google Cloud Console. AWS credentials are properties files with -the AWS access key ID is expected to be in the `accessKey` property and the AWS -secret key is expected to be in the `secretKey` property. - -Tink/Tinkey can also load the default credentials: - -* AWS KMS: - http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default - -* Google Cloud KMS: - https://developers.google.com/identity/protocols/application-default-credentials. - -## Envelope encryption - -Via the AEAD interface, Tink supports envelope encryption in tandem with GCP and -AWS KMS. This provides one of the simplest key management options. - -For more context, reference the following cloud service provider documentation: - -* [Amazon Web Services](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping) -* [Google Cloud Platform](https://cloud.google.com/kms/docs/envelope-encryption) - -In this mode, you first create a key encryption key (KEK) in a Key Management -System (KMS) such as AWS KMS or Google Cloud KMS. To encrypt some data, you then -locally generate a data encryption key (DEK), encrypt data with the DEK, ask the -KMS to encrypt the DEK with the KEK, and store the encrypted DEK with the -encrypted data. At a later point, you can retrieve the encrypted data and the -encrypted DEK, ask the KMS to decrypt the DEK, and use the decrypted DEK to -decrypt the data. - -Tink supports envelope encryption in [C++](CPP-HOWTO.md#envelope-encryption), -[Java](JAVA-HOWTO.md#envelope-encryption), -[Go](GOLANG-HOWTO.md#envelope-encryption) and -[Python](PYTHON-HOWTO.md#envelope-encryption). +Improper key management is a major source of risk. Tink has built-in support for +industry-leading options to help you secure your keys. Please see the +[developer documentation](https://developers.google.com/tink/key-management-overview) +on how to implement proper key management. |