ocicrypt icon indicating copy to clipboard operation
ocicrypt copied to clipboard

Published 20 hours ago verified publisher icon containers

Use Key Provider to provide encryption key

Open Dsolnik opened this issue 3 years ago • 4 comments

Would it be possible to give the key provider the option to specify the encryption key and protocols instead of just the KEK?

Dsolnik avatar Sep 08 '22 14:09 Dsolnik

I am not quite sure what you mean. Is the 'encryption key' you mention the 'KEK' and now you want to choose whether to use gpg versus pkcs7/cms versus pkcs11 with that encryption key?

stefanberger avatar Sep 09 '22 12:09 stefanberger

you should be able to make the payload anything you want and program the keyprovider to unwrap that structure and do what you want with it.

lumjjb avatar Sep 09 '22 13:09 lumjjb

@lumjjb, this is correct, we can do whatever we want with the annotation.

The key used to encrypt the layers is picked randomly (if none is specified on the command line) before being passed in to the ocicrypt key provider.

Ideally, I would want to have a provider for the key in addition to a provider for the KEK.

Does that make sense?

Dsolnik avatar Mar 16 '23 23:03 Dsolnik

A better name for the current key provider would be KEK provider, I'm asking for something to provide the encryption key.

Dsolnik avatar Mar 16 '23 23:03 Dsolnik