alex-luminal
commented
8 years ago it should just work. I haven't tried it though
Closed seanjoo closed 8 years ago
alex-luminal
commented
8 years ago it should just work. I haven't tried it though
alex-luminal
commented
8 years ago According to the KMS FAQ (https://aws.amazon.com/kms/faqs/) keys are created in a specific region and can't be copied. That said, last week AWS launched a feature to allow you to import key material into KMS (docs: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html). So if you generate a master key outside KMS and then import it into all the regions you care about, then x-region replication should just work.
Going to close this for now. Feel free to reopen.
nan008
commented
5 years ago According to the KMS FAQ (https://aws.amazon.com/kms/faqs/) keys are created in a specific region and can't be copied. That said, last week AWS launched a feature to allow you to import key material into KMS (docs: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html). So if you generate a master key outside KMS and then import it into all the regions you care about, then x-region replication should just work.
This doesn't work
I just tested it, when you importing the same key to different regions you are wrapping it in the different wrappers. So as I have to use the ARN and the alias while using putall function, credstash doesnt recognize it as the same key. I am explaining it in my own open issue https://github.com/fugue/credstash/issues/257
Has anyone thought about how this could work with DDB cross region replication?
I guess as long as there is a wrapped data key per region which unwraps to the same data key value, this should work?