Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transit engine ecdh key exchange / shared secret derivation #28529

Open
sjones4 opened this issue Sep 27, 2024 · 0 comments
Open

Transit engine ecdh key exchange / shared secret derivation #28529

sjones4 opened this issue Sep 27, 2024 · 0 comments
Labels
enhancement secret/transit

Comments

@sjones4
Copy link

sjones4 commented Sep 27, 2024

Is your feature request related to a problem? Please describe.
Vaults transit secret engine supports ecdsa key types but does not allow these keys to be used for ecdh key exchange.

AWS KMS for example allows this functionality:
https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html

Describe the solution you'd like
Add a derive path for keys in the transit secrets engine allowing the caller to provide a public key and returning the shared secret.

Describe alternatives you've considered
The key can be made exportable and the ecdh operation performed outside of vault, this is not ideal as it is less secure.

Additional context
Example implementation that could be the basis for a PR:
sjones4@dbe03f2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement secret/transit
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjones4 @heatherezell