Add chaging secret key for external KMS section

This patch updates the overview_encryption page to add a `Changing the encryption root secret of external KMS's` section to point out the slight difference in naming. I.E: key_id_<secret_id> vs. encryption_root_secret_<secret_id> This patch refers to both multikey support in the KMIP and KMS key masters, so really should land after both of them. Related-Change-Id: Ie52508e47d15ec5c4e96902d3c9f5f282d275683 Related-Change-Id: I4f485dcb31e5bea511c4e539c54681091fc5bb1c Change-Id: Ie4cd8ae038501c8abc43d09cf0b207ca375a4366
2018-08-17 10:31:59 +10:00 · 2018-08-17 10:31:59 +10:00 · 34aef9d091
commit 34aef9d091
parent fda3052a2d
1 changed files with 25 additions and 5 deletions
--- a/doc/source/overview_encryption.rst
+++ b/doc/source/overview_encryption.rst
@ -163,6 +163,8 @@ into GET and PUT requests by the :ref:`copy` middleware before reaching the
 encryption middleware and as a result object data and metadata is decrypted and
 re-encrypted when copied.

+.. _changing_the_root_secret:
+
 Changing the encryption root secret
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

@ -213,11 +215,12 @@ active root secret::

    To ensure there is no loss of data availability, deploying a new key to
    your cluster requires a two-stage config change. First, add the new key
-    to the ``key_id_<secret_id>`` option and restart the proxy-server. Do this
-    for all proxies. Next, set the ``active_root_secret_id`` option to the
-    new secret id and restart the proxy. Again, do this for all proxies. This
-    process ensures that all proxies will have the new key available for
-    *decryption* before any proxy uses it for *encryption*.
+    to the ``encryption_root_secret_<secret_id>`` option and restart the
+    proxy-server. Do this for all proxies. Next, set the
+    ``active_root_secret_id`` option to the new secret id and restart the
+    proxy. Again, do this for all proxies. This process ensures that all
+    proxies will have the new key available for *decryption* before any proxy
+    uses it for *encryption*.

 Encryption middleware
 ---------------------
@ -432,6 +435,23 @@ example::
    username = swift
    password = swift_password

+Changing the encryption root secret of external KMS's
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Because the KMS and KMIP keymaster's derive from the default KeyMaster they
+also have to ability to define multiple keys. The only difference is the key
+option names. Instead of using the form `encryption_root_secret_<secret_id>`
+both external KMS's use `key_id_<secret_id>`, as it is an extension of their
+existing configuration. For example::
+
+  ...
+  key_id = 1234567890
+  key_id_foo = 0987654321
+  key_id_bar = 5432106789
+  active_root_secret_id = foo
+  ...
+
+Other then that, the process is the same as :ref:`changing_the_root_secret`.

 Upgrade Considerations
 ----------------------