Add chaging secret key for external KMS section
This patch updates the overview_encryption page to add a `Changing the encryption root secret of external KMS's` section to point out the slight difference in naming. I.E: key_id_<secret_id> vs. encryption_root_secret_<secret_id> This patch refers to both multikey support in the KMIP and KMS key masters, so really should land after both of them. Related-Change-Id: Ie52508e47d15ec5c4e96902d3c9f5f282d275683 Related-Change-Id: I4f485dcb31e5bea511c4e539c54681091fc5bb1c Change-Id: Ie4cd8ae038501c8abc43d09cf0b207ca375a4366
This commit is contained in:
Matthew Oliver
Tim Burke
parent
fda3052a2d
commit
34aef9d091
@ -163,6 +163,8 @@ into GET and PUT requests by the :ref:`copy` middleware before reaching the
|
|||||||
encryption middleware and as a result object data and metadata is decrypted and
|
encryption middleware and as a result object data and metadata is decrypted and
|
||||||
re-encrypted when copied.
|
re-encrypted when copied.
|
||||||
|
|
||||||
|
.. _changing_the_root_secret:
|
||||||
|
|
||||||
Changing the encryption root secret
|
Changing the encryption root secret
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
@ -213,11 +215,12 @@ active root secret::
|
|||||||
|
|
||||||
To ensure there is no loss of data availability, deploying a new key to
|
To ensure there is no loss of data availability, deploying a new key to
|
||||||
your cluster requires a two-stage config change. First, add the new key
|
your cluster requires a two-stage config change. First, add the new key
|
||||||
to the ``key_id_<secret_id>`` option and restart the proxy-server. Do this
|
to the ``encryption_root_secret_<secret_id>`` option and restart the
|
||||||
for all proxies. Next, set the ``active_root_secret_id`` option to the
|
proxy-server. Do this for all proxies. Next, set the
|
||||||
new secret id and restart the proxy. Again, do this for all proxies. This
|
``active_root_secret_id`` option to the new secret id and restart the
|
||||||
process ensures that all proxies will have the new key available for
|
proxy. Again, do this for all proxies. This process ensures that all
|
||||||
*decryption* before any proxy uses it for *encryption*.
|
proxies will have the new key available for *decryption* before any proxy
|
||||||
|
uses it for *encryption*.
|
||||||
|
|
||||||
Encryption middleware
|
Encryption middleware
|
||||||
---------------------
|
---------------------
|
||||||
@ -432,6 +435,23 @@ example::
|
|||||||
username = swift
|
username = swift
|
||||||
password = swift_password
|
password = swift_password
|
||||||
|
|
||||||
|
Changing the encryption root secret of external KMS's
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Because the KMS and KMIP keymaster's derive from the default KeyMaster they
|
||||||
|
also have to ability to define multiple keys. The only difference is the key
|
||||||
|
option names. Instead of using the form `encryption_root_secret_<secret_id>`
|
||||||
|
both external KMS's use `key_id_<secret_id>`, as it is an extension of their
|
||||||
|
existing configuration. For example::
|
||||||
|
|
||||||
|
...
|
||||||
|
key_id = 1234567890
|
||||||
|
key_id_foo = 0987654321
|
||||||
|
key_id_bar = 5432106789
|
||||||
|
active_root_secret_id = foo
|
||||||
|
...
|
||||||
|
|
||||||
|
Other then that, the process is the same as :ref:`changing_the_root_secret`.
|
||||||
|
|
||||||
Upgrade Considerations
|
Upgrade Considerations
|
||||||
----------------------
|
----------------------
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user