getsops
Why do you recommend to specify multiple KMS keys?
Background
Thank you for developing this great tool! Could you answer why you recommend to use multiple master keys in the IAM console in different regions? When I read the README, I found the following explanations.
If you're using AWS KMS, create one or multiple master keys in the IAM console and export them, comma separated, in the SOPS_KMS_ARN env variable. It is recommended to use at least two master keys in different regions.
The document is added in 2015. So, I assume that we didn't have keys we can use from multiple AWS regions. Now, we have Multi-Region keys in AWS KMS and I feel this is better than specifying multiple keys.
AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
What I want to achieve
- Understand the reason why we recommend to specify multiple KMS keys
Related information
AFAIU, the procedure would be the same for multi-region keys from a sops perspective. Multi-region keys share the same KeyID, but the region portion of the ARN differs for every replica of a multi-region key, see How Multi-Region keys work. This means you must add both keys to your sops config, effectively treating them as two separate keys. So, in the end, it doesn't matter from a sops perspective if you use a multi-region key and a replica or two separate keys.
Thx for replying @mo-rieger. I think using multi-region keys for AWS KMS would be the way to go to simplify things (correct me if wrong). @takanabe I would assume the reason to have +1 key is to have better availability; i.e. in case KMS service is down in the main region, we could still encrypt/decrypt using the secondary (failover) region.
