Currently, every single master key has the capacity to fully decrypt the data key, and therefore the whole file. It would be desirable to have a way to require access to more than one master key in order to retrieve the data key. Using Shamir's Secret Sharing, if one master key is compromised, the attacker can't get the data key, as they will need a quorum of keys to retrieve it. We can use Vault's implementation of the algorithm.
This should be relatively easy to implement by modifying the way we retrieve the data key from the encrypted file, GetDataKey in sops.go; and the way we write the data key to the encrypted file, UpdateMasterKeys in sops.go.
The number of master keys required to form a quorum should probably be configurable, defaulting to half the number of keys plus one.
autrilla
commented
7 years ago
Suggested by @jvehent.
Currently, every single master key has the capacity to fully decrypt the data key, and therefore the whole file. It would be desirable to have a way to require access to more than one master key in order to retrieve the data key. Using Shamir's Secret Sharing, if one master key is compromised, the attacker can't get the data key, as they will need a quorum of keys to retrieve it. We can use Vault's implementation of the algorithm.
This should be relatively easy to implement by modifying the way we retrieve the data key from the encrypted file,
GetDataKeyinsops.go; and the way we write the data key to the encrypted file,UpdateMasterKeysinsops.go.The number of master keys required to form a quorum should probably be configurable, defaulting to half the number of keys plus one.