From 34aef9d091d60e567d3631010b288d7f4d49a532 Mon Sep 17 00:00:00 2001 From: Matthew Oliver Date: Fri, 17 Aug 2018 10:31:59 +1000 Subject: [PATCH] Add chaging secret key for external KMS section This patch updates the overview_encryption page to add a `Changing the encryption root secret of external KMS's` section to point out the slight difference in naming. I.E: key_id_ vs. encryption_root_secret_ This patch refers to both multikey support in the KMIP and KMS key masters, so really should land after both of them. Related-Change-Id: Ie52508e47d15ec5c4e96902d3c9f5f282d275683 Related-Change-Id: I4f485dcb31e5bea511c4e539c54681091fc5bb1c Change-Id: Ie4cd8ae038501c8abc43d09cf0b207ca375a4366 --- doc/source/overview_encryption.rst | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/doc/source/overview_encryption.rst b/doc/source/overview_encryption.rst index 78c94a871e..f5431e8167 100644 --- a/doc/source/overview_encryption.rst +++ b/doc/source/overview_encryption.rst @@ -163,6 +163,8 @@ into GET and PUT requests by the :ref:`copy` middleware before reaching the encryption middleware and as a result object data and metadata is decrypted and re-encrypted when copied. +.. _changing_the_root_secret: + Changing the encryption root secret ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -213,11 +215,12 @@ active root secret:: To ensure there is no loss of data availability, deploying a new key to your cluster requires a two-stage config change. First, add the new key - to the ``key_id_`` option and restart the proxy-server. Do this - for all proxies. Next, set the ``active_root_secret_id`` option to the - new secret id and restart the proxy. Again, do this for all proxies. This - process ensures that all proxies will have the new key available for - *decryption* before any proxy uses it for *encryption*. + to the ``encryption_root_secret_`` option and restart the + proxy-server. Do this for all proxies. Next, set the + ``active_root_secret_id`` option to the new secret id and restart the + proxy. Again, do this for all proxies. This process ensures that all + proxies will have the new key available for *decryption* before any proxy + uses it for *encryption*. Encryption middleware --------------------- @@ -432,6 +435,23 @@ example:: username = swift password = swift_password +Changing the encryption root secret of external KMS's +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Because the KMS and KMIP keymaster's derive from the default KeyMaster they +also have to ability to define multiple keys. The only difference is the key +option names. Instead of using the form `encryption_root_secret_` +both external KMS's use `key_id_`, as it is an extension of their +existing configuration. For example:: + + ... + key_id = 1234567890 + key_id_foo = 0987654321 + key_id_bar = 5432106789 + active_root_secret_id = foo + ... + +Other then that, the process is the same as :ref:`changing_the_root_secret`. Upgrade Considerations ----------------------