Conversation
Introduces Key Management Service (KMS) integration for encrypting master keys at rest using external providers. Implements interface segregation pattern with domain-layer minimal interfaces and service-layer gocloud.dev integration. Supported providers: localsecrets (testing), Google Cloud KMS, AWS KMS, Azure Key Vault, and HashiCorp Vault. Master key decryption happens once at startup with no per-operation KMS calls for optimal performance. Key changes: - Add KMSService and KMSKeeper interfaces to domain layer (minimal dependencies) - Add gocloud.dev/secrets-based KMS service with all provider drivers - Add KMS_PROVIDER and KMS_KEY_URI environment variables for mode selection - Add auto-detection logic to distinguish KMS vs legacy plaintext mode - Add rotate-master-key CLI command for staged master key rotation workflow - Add KMS flags to create-master-key (--kms-provider, --kms-key-uri) - Add URI masking helper to redact sensitive KMS key identifiers from logs - Add error validation for inconsistent KMS configuration at startup - Add comprehensive test coverage using localsecrets provider - Add KMS setup guide (docs/operations/kms-setup.md) - Add KMS migration checklist (docs/operations/kms-migration-checklist.md) - Update all docs and examples to v0.6.0 with KMS references Security improvements: - Master keys now encrypted at rest when using KMS mode - Startup validation ensures KMS configuration consistency - Explicit error paths for KMS decryption failures - Preserved memory zeroing for decrypted master key material Breaking changes: none (backward compatible with legacy plaintext mode) Closes enhancement for production-grade master key protection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces Key Management Service (KMS) integration for encrypting master keys at rest using external providers. Implements interface segregation pattern with domain-layer minimal interfaces and service-layer gocloud.dev integration. Supported providers: localsecrets (testing), Google Cloud KMS, AWS KMS, Azure Key Vault, and HashiCorp Vault. Master key decryption happens once at startup with no per-operation KMS calls for optimal performance.
Key changes:
Security improvements:
Breaking changes: none (backward compatible with legacy plaintext mode) Closes enhancement for production-grade master key protection.