search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
17 stars 5 forks source link

Epic: configured CryptoProvider enhancements/hardening #1183

Open jakedoublev opened 1 month ago

jakedoublev commented 1 month ago

Background

At present, the server.cryptoProvider in the platform config is used primarily for management of KAS keys. However, the platform engages with other sensitive cryptographic and crypto-adjacent materials (keys of varied types for other services, tokens, TLS certs, HSM information, etc).

Rather than spreading configuration of varying crypto-related values across the service configs, we should enhance and centralize the cryptoProvider config interface to make it extensible to n number of keys and key types across n number of services, and let each service do its own validation/panic that it has the cryptographic material it requires.

Centralizing sensitive config will make administration of a platform and development on top of it both easier.

Acceptance Criteria

TODO

jrschumacher commented 1 month ago

@dmihalcik-virtru Jake and I were discussing how an admin would manage the cryptoprovider when we look at supporting clickops. Currently, they would have to update the config or update the Envs.

Do you have any thoughts about this you'd like to add?

jakedoublev commented 1 month ago

Related to #1254