AWS KMS cannot act as a secret store where we can store user data.
It provides a mechanism to generate DataKeys that could be used
for encrypting user data. In KMS when you generate a DataKey it returns
[Private Key]: PlainText which should be used for encrypting data.
[Public Key]: CipherText which should be used for subsequent calls to KMS to fetch the private key.
Add two persistence stores for AWS KMS to store the public key
filePersistenceStore - uses files on host
kvdbPersistenceStore - uses a key value database using portworx/kvdb
Add support for storing user data in a secret store
AWS KMS in conjunction with kvdb can store user data.
For every secretData to be stored, a new DataKey is generated in KMS.
PutSecret -> Using the private key and AES+GCM algorithm, the user data is encrypted and then stored in kvdb.
GetSecret -> Using the public key, the private key is fetched from KMS. The encrypted data stored in kvdb is then fetched
and using the same AES with GCM algorithm is used to decrypt the user data.
AWS KMS cannot act as a secret store where we can store user data. It provides a mechanism to generate DataKeys that could be used for encrypting user data. In KMS when you generate a DataKey it returns
Add two persistence stores for AWS KMS to store the public key
Add support for storing user data in a secret store