mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-26 22:11:38 +01:00
ce63abb219
Talos now supports new type of encryption keys which rely on Sealing/Unsealing randomly generated bytes with a KMS server:
```
systemDiskEncryption:
ephemeral:
keys:
- kms:
endpoint: https://1.2.3.4:443
slot: 0
```
gRPC API definitions and a simple reference implementation of the KMS server can be found in this
[repository](https://github.com/siderolabs/kms-client/blob/main/cmd/kms-server/main.go).
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
39 lines
1.0 KiB
Go
39 lines
1.0 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package keys
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/siderolabs/go-blockdevice/blockdevice/encryption"
|
|
"github.com/siderolabs/go-blockdevice/blockdevice/encryption/token"
|
|
)
|
|
|
|
// StaticKeyHandler just handles the static key value all the time.
|
|
type StaticKeyHandler struct {
|
|
KeyHandler
|
|
data []byte
|
|
}
|
|
|
|
// NewStaticKeyHandler creates new EphemeralKeyHandler.
|
|
func NewStaticKeyHandler(key KeyHandler, data []byte) *StaticKeyHandler {
|
|
return &StaticKeyHandler{
|
|
KeyHandler: key,
|
|
data: data,
|
|
}
|
|
}
|
|
|
|
// NewKey implements Handler interface.
|
|
func (h *StaticKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error) {
|
|
k, err := h.GetKey(ctx, nil)
|
|
|
|
return k, nil, err
|
|
}
|
|
|
|
// GetKey implements Handler interface.
|
|
func (h *StaticKeyHandler) GetKey(context.Context, token.Token) (*encryption.Key, error) {
|
|
return encryption.NewKey(h.slot, h.data), nil
|
|
}
|