search

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
https://developers.google.com/tink
Apache License 2.0
13.47k stars 1.18k forks source link

Recommendation on the best approach for rotation #707

Closed iamyohann closed 11 months ago

iamyohann commented 1 year ago

Should we use Tinkey (java based) or the golang keyset manager in Go https://github.com/google/tink/blob/master/go/keyset/manager.go

We plan on automating key rotation, and we're wondering whether to programatically call the Java code or Golang code...

Can we get some info on maturity, compatibility guarantees etc.... so we can make an informed choice on the best approach...

juergw commented 1 year ago

The functionality offered by the keyset manager in Golang and the Tinkey command line tool are very similar. And the serialization of the keysets are compatible, so any keyset (or encrypted keyset) produced with Tinkey is readable by the golang keyset package, and vice versa.

So, it really is up to you to choose which way you prefer. One thing that we recommend however is that you keep your key managment code and your production code that uses the keys separate.

There are some functionalities that are missing in both, for example importing existing keys. We have plans to extend the API in golang similar to what we already did in Java (see KeysetHandle.Builder in https://github.com/tink-crypto/tink-java/blob/main/src/main/java/com/google/crypto/tink/KeysetHandle.java). The resulting API will still be compatible to what the keyset manager currently does.