Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8913

Support AWS KMS (Key Management Service, different from AWS CloudHSM)

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.4.0
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Sprint:
      EJBCA Team Bob -2020 w10

      Description

      Apart from the AWS CloudHSM (Cavium/Marvell based) AWS also have a Key Management Service (KMS). The KMS is since november 2019 capable of handling asymmetric keys (previously it only did symmetric). It uses a JSON based API (like REST but not by RESTful principles really).

      https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html

      We have quite some experience in adding new REST based Crypto Tokens by now, so add this too.

       To use:

      • Log into your AWS account and activate the KMS
      • Get API credentials for your AWS user by going to your account->My Security Credentials.
      • Create an access key under the section "Access keys for CLI, SDK, & API access". You'll get to download the secret.
      • Use the Access KeyID, and AWS region for your KMS, when creating a Crypto Token in EJBCA, and the secret and the crypto token authentication code.

      The only drawback of AWS KMS is that keys can be used for sign/verify or encrypt/decrypt. This means that SCEP, which uses the CA key both for sign (issue certificate) and for message protection (encrypt/wrap symmkey for SCEP message encryption), will not work as we have currently implemented it.

      A separate SCEP message protection key would have to be created (for example a soft key like the CMS service key), which is supported by the SCEP protocol (but we don't know how that is supported by different SCEP clients).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Samuel Lidén Borell
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 week
                  1w
                  Remaining:
                  Remaining Estimate - 1 week
                  1w
                  Logged:
                  Time Spent - Not Specified
                  Not Specified