New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting support for HSM Unseal method #300
Comments
I think #16 is a duplicate of this. It would be good to decide if we want to keep with the structure of go-kms-wrapping or if we'd like to simplify it in some way? |
We would be able to contribute/participate and have experience in the area. Maybe structuring around a more extensible architecture that allows for plugins would be very good. |
@jleni Yes, a plugin architecture is what PKCS#11 bindings would effectively let you achieve. The IMO, if we wish to keep just auto-unseal (and not seal wrapping or managed keys), we could revisit our decision to use The one thing I think I saw was that Azure KeyVault (their KMS offering) lacks PKCS#11 bindings of any sort (as does Transit), whereas most other KMS providers have PKCS#11 bindings... So maybe a Go pkcs#11 library would be nice, to eventually build Azure and Transit bindings without the need to put those SDKs in the main binary (like we do now).... Some Saturday thoughts. :-) But if you're willing, I might suggest spending some time looking at g-k-w and deciding what you think about keeping it versus replacing it. I'd take a careful look at the interfaces that exist presently, perhaps consider the ability to do key mobility/wrapping, and also at the extensibility of the protobuf files and make a determination there. |
Hi @cipherboy, Could you be more explicit about the changes that you have in mind concerning the go-kms-wrapping interface ? Which are, in your opinion, the main drawbacks of the current g-k-w? Many thanks! |
@DanGhita Hmmm... I think there's a few angles I can immediately articulate:
My 2c., but I think, given we only use it for auto-unseal today, perhaps it is scoped nicely enough that we could restructure to avoid using g-k-w, and build our own multi-provider encryption library, even if it does import SDKs, with nicer interfaces and better separations of concerns. Let me know if these thoughts are coherent this morning :-D |
Is your feature request related to a problem? Please describe.
Yes, this feature request is related to a problem. Currently, OpenBao does not support integration with Hardware Security Modules (HSM), a critical feature for enhancing security in sensitive environments. Many organizations, especially in sectors like finance and government, require HSM integration to meet compliance standards for cryptographic operations. This feature will enable OpenBao to automatically unseal using secure hardware, reduce operational complexity, and ensure that cryptographic keys are protected according to industry standards such as FIPS 140-2.
Describe the solution you'd like
I would like OpenBao to implement HSM integration to support automatic unsealing and enhanced security for encrypted data. This solution should include seamless setup and configuration for HSM devices that adhere to industry standards like FIPS 140-2. The integration should feature detailed documentation and command-line tools to facilitate easy and secure key management operations. Additionally, implementing the Seal Wrap feature will provide an additional layer of security, ensuring sensitive data is wrapped with an extra cryptographic barrier. This integration will make OpenBao a more robust tool for enterprises requiring high security standards.
Describe alternatives you've considered
As an alternative to integrating HSM support directly into OpenBao, we considered using software-based encryption keys with enhanced security measures. However in a private environment (non-cloud), the most securely viable is an HSM integration. Additionally, using HashiCorp Vault Enterprise was explored; however, it does not meet our cost constraints, making it less feasible for our project's budget. These alternatives, while potentially viable, do not fully meet the stringent compliance and security requirements that direct HSM integration would achieve.
Explain any additional use-cases
Adding HSM integration to OpenBao would also cater to use cases involving high-security applications, such as in government, healthcare, and banking sectors, where regulatory compliance demands hardware-level protection of encryption keys. I feel though an enterprise feature, this is a top priority item to implement as it will enable the adoption of OpenBao project in all environments.
Additional context
Integrating HSM with OpenBao aligns with industry best practices for security, particularly in sectors dealing with sensitive information. This feature would not only enhance the platform's attractiveness to prospective enterprise users but also leverage existing community expertise in HSM technologies to foster collaboration and innovation. By providing detailed documentation and examples, the adoption of this feature can be streamlined, encouraging widespread use and contributing to the robustness of OpenBao's security capabilities.
The text was updated successfully, but these errors were encountered: