Description
Starting with the AWS Encryption SDK for C, we moved from master keys/providers to keyrings as a configuration/framework primitive. We need to add corresponding keyrings to this client as well.
In order to maintain backwards compatibility, we need to retain the existing MKP framework and support the use of MKPs within the new keyring framework. After discussing several options, we decided that the best route to accomplish this is with a MKP keyring.
This MKP keyring will take a MKP as input and provide the MK/MKP management logic currently in DefaultCryptoMaterialsManager, along with necessary keyring logic (ex: adding keyring traces), all wrapped up in the new keyring interface.
As a temporary measure, in order to enable end-to-end keyring tests without tackling the MKP keyring and the updates to DefaultCryptoMaterialsManager, we will need to make a KeyringDefaultCryptoMaterialsManager that handles the signing/verification keys but only understands keyrings.
All keyring development PRs should be made to the keyring branch.
- Updated cryptographic materials to meet keyring needs [pr: Keyring materials #163]
- Make updated encryption materials immutable [issue: [keyring] immutable cryptographic materials #214]
-
KeyringTraceFlagdoes not need to be value/name-compatible with C [issue: [keyring] keyring trace flag values #215] - Keyring interface [pr: Keyring base API #161]
- AWS KMS keyring [issue: [keyring] add AWS KMS keyring #212] [pr: feat: add AWS KMS keyring #218]
- Raw RSA keyring [pr: Raw keyrings #165]
- Raw AES keyring [pr: Raw keyrings #165]
- Multi keyring [pr: Multi keyrings #166]
- Enable keyring use. [issue: [keyring] Enable use of keyrings #211] [pr: feat: enable use of keyrings #216]
- Migration guide for users [issue: [keyring] keyring migration guide #213]