3

Given an application that has to acquire private keys (mainly RSA ones) from a Key Management System (KMS), which could be a Hardware Security Module (HSM), what could be the best way to implement that kind of client if there's no way to know in advance the KMS implementation the application will have to deal with?

Sub-questions arise from the main one:

  1. Is there a unified client library that tries to close the gap between different implementation?
    • One that targets KMIP (Key Management Interoperability Protocol) implementations at least would be a good example.
    • What language is it for? The more a same library aims, the better.
    • Is there one for Java (what my application will run on, but I'm trying to keep the question open)?
  2. If there's none or little that aims multiple server implementations, are there specific clients for specific implementations? I'm thinking mostly about the most used ones amongst SMBs (Small and medium size businesses) and big companies.
    • What language is it for? The more a same library aims, the better.
    • Are there some for Java?
  3. If none of those actually exist or if there's no client library for the implementation most needed, what would be the best way to design the application to be easily adaptable in the future to other implementations while focusing on a first one?
    • I guess it would be a good idea to focus on a KMIP compliant one first?
  4. Are there actual samples of working code out there on the internet? Even UML diagrams? This kind of resources feels quite scarce.
  5. Am I just foolish to think all that exists and all of those implementations actually use RESTful APIs and everything has to be implemented on the client-side to adapt to every kind of server implementations?

Bonus question:

Is Google's Cloud Key Management Service KMIP compliant or not? It doesn't appear to be the case but I couldn't actually manage to find a clear yes nor a clear no.

Other useful resources:

Vrakfall
  • 966
  • 7
  • 13
  • 1
    I have an answer for the bonus question: Google Cloud KMS/Cloud HSM is not KMIP compatible; we're interested in it, but the protocol is not well aligned with operating as a service. I don't have the bandwidth to discuss the rest right now, but I'm not aware of a good multi-service abstraction client. Always happy to further discuss at cloudkms-feedback@google.com. – Tim Dierks Aug 02 '18 at 00:45
  • 1
    @TimDierks Thank you really much, it is clearer now. I should take advantage you're directly involved in that product to ask you [another question on Google Cloud KMS](https://stackoverflow.com/questions/51652261/why-doesnt-google-cloud-key-management-services-java-client-library-support-an). I did it in another question thread as it's already far off the first topic here and I should already have done that for the bonus question. I feel it's also better there than by email so other people can also see the answer to it. – Vrakfall Aug 02 '18 at 11:17
  • 1
    Have you considered using [Tink](https://github.com/google/tink)? I believe it aims to provide a key management client library that [abstracts some of the details of interacting with a few different key management systems](https://github.com/google/tink/blob/master/docs/KEY-MANAGEMENT.md#key-management-systems), including Google Cloud KMS. – Russ Amos Aug 02 '18 at 14:38
  • 1
    @RussAmos Neat, it appears to do at least a part of what I need. There's still something blurry tho. For example, it doesn't look like I can use it to retrieve a private key and use it with another library that doesn't implement Tink, or am I misunderstanding something? I saw there's a possibility to implement primitives but I don't understand if that can help me wrap a non-tink crypto-library. I'm going to post an issue on their github to clarify that. – Vrakfall Aug 03 '18 at 17:25
  • [The issue is here](https://github.com/google/tink/issues/102) by the way. :) – Vrakfall Aug 03 '18 at 21:47
  • I do not know the answer; hopefully a Tink dev is able to answer. Note, though, that Google Cloud KMS does not export private keys. You'll need to use a different KMS for this (unless the SSH server is using the private key by calling the Cloud KMS API; I'm not aware of any SSH server that has this capability). If I were to use Cloud KMS for this, I would create a symmetric encryption key in KMS and use that to encrypt a local file that contained a private key that I generated locally, then decrypt and use the private key on demand. – Russ Amos Aug 06 '18 at 15:47

0 Answers0