AWS Keystore – option to read data encryption key from an env var (instead of file)

[ram-nadella]

Issue # (if available)

https://github.com/rocketjob/symmetric-encryption/issues/149

Description of changes

AWS Keystore uses KMS for the key encryption key and data encryption key is local to the code / runtime. This change adds the option to provide the data encryption using an environment variable with existing file option as a fallback. This would allow for use cases where you don't want to put the keys on the filesystem

NOTE: this is still a work in progress; pushed a commit early to show potential approach, the data needed to build the env key is not available in the read method. Thinking adding a config key might be the way to go here. Also need to add tests.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[reidmorrison]

We have switched to using Secret Config instead of using a config file at all. The data encryption keys are stored in the AWS Parameter Store and are encrypted using KMS.

The following code was added to config/application.rb to support local testing vs deployed code:

    unless Rails.env.development? || Rails.env.test?
      config.secret_config.use :ssm, key_alias: "customer-kms", path: "/#{ENV['STACK_NAME']}/web"
    end

[reidmorrison]

@ram-nadella have you had a chance to see if the Secret Config approach above better suites you needs in the AWS environment? We are happy we made the switch since it is much easier to manage now, and we now retrieve all application settings from Secret Config at startup. If using Docker Images, Secret Config is a must have for externalizing configuration.

[ram-nadella]

@reidmorrison thanks for following up on this.

We're using SecretsManager on AWS (provides a few nice things like access audit logs, secret rotation etc.) Ideally, we'd init symmetric-encryption on load with a key from secrets manager, was thinking of ENV var as a more generalized way for others to reuse this method.