Open Dsolnik opened 2 years ago
stefanberger
commented
2 years ago I am not quite sure what you mean. Is the 'encryption key' you mention the 'KEK' and now you want to choose whether to use gpg versus pkcs7/cms versus pkcs11 with that encryption key?
lumjjb
commented
2 years ago you should be able to make the payload anything you want and program the keyprovider to unwrap that structure and do what you want with it.
Dsolnik
commented
1 year ago @lumjjb, this is correct, we can do whatever we want with the annotation.
The key used to encrypt the layers is picked randomly (if none is specified on the command line) before being passed in to the ocicrypt key provider.
Ideally, I would want to have a provider for the key in addition to a provider for the KEK.
Does that make sense?
Dsolnik
commented
1 year ago A better name for the current key provider would be KEK provider, I'm asking for something to provide the encryption key.
Would it be possible to give the key provider the option to specify the encryption key and protocols instead of just the KEK?