containers / ocicrypt

Encryption libraries for Encrypted OCI Container images
Apache License 2.0
149 stars 33 forks source link

Use Key Provider to provide encryption key #67

Open Dsolnik opened 2 years ago

Dsolnik commented 2 years ago

Would it be possible to give the key provider the option to specify the encryption key and protocols instead of just the KEK?

stefanberger commented 2 years ago

I am not quite sure what you mean. Is the 'encryption key' you mention the 'KEK' and now you want to choose whether to use gpg versus pkcs7/cms versus pkcs11 with that encryption key?

lumjjb commented 2 years ago

you should be able to make the payload anything you want and program the keyprovider to unwrap that structure and do what you want with it.

Dsolnik commented 1 year ago

@lumjjb, this is correct, we can do whatever we want with the annotation.

The key used to encrypt the layers is picked randomly (if none is specified on the command line) before being passed in to the ocicrypt key provider.

Ideally, I would want to have a provider for the key in addition to a provider for the KEK.

Does that make sense?

Dsolnik commented 1 year ago

A better name for the current key provider would be KEK provider, I'm asking for something to provide the encryption key.