[ceph.git] / ceph / src / rgw / rgw_kms.h

// -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

/**
 * Server-side encryption integrations with Key Management Systems (SSE-KMS)
 */

#ifndef CEPH_RGW_KMS_H
#define CEPH_RGW_KMS_H

static const std::string RGW_SSE_KMS_BACKEND_TESTING = "testing";
static const std::string RGW_SSE_KMS_BACKEND_BARBICAN = "barbican";
static const std::string RGW_SSE_KMS_BACKEND_VAULT = "vault";
static const std::string RGW_SSE_KMS_BACKEND_KMIP = "kmip";

static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN = "token";
static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT = "agent";

static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT = "transit";
static const std::string RGW_SSE_KMS_VAULT_SE_KV = "kv";

static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv";

/**
 * Retrieves the actual server-side encryption key from a KMS system given a
 * key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp
 * Vault, but keys can also be retrieved from Ceph configuration file (if
 * kms is set to 'local').
 *
 * \params
 * TODO
 * \return
 */
int make_actual_key_from_kms(CephContext *cct,
                            map<string, bufferlist>& attrs,
                            std::string& actual_key);
int reconstitute_actual_key_from_kms(CephContext *cct,
                            map<string, bufferlist>& attrs,
                            std::string& actual_key);

/**
 * SecretEngine Interface
 * Defining interface here such that we can use both a real implementation
 * of this interface, and a mock implementation in tests.
**/
class SecretEngine {

public:
  virtual int get_key(std::string_view key_id, std::string& actual_key) = 0;
  virtual ~SecretEngine(){};
};
#endif
Commit	Line	Data
9f95a23c TL	1	// -- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	/**
	5	* Server-side encryption integrations with Key Management Systems (SSE-KMS)
	6	*/
	7
	8	#ifndef CEPH_RGW_KMS_H
	9	#define CEPH_RGW_KMS_H
	10
	11	static const std::string RGW_SSE_KMS_BACKEND_TESTING = "testing";
	12	static const std::string RGW_SSE_KMS_BACKEND_BARBICAN = "barbican";
	13	static const std::string RGW_SSE_KMS_BACKEND_VAULT = "vault";
f67539c2	14	static const std::string RGW_SSE_KMS_BACKEND_KMIP = "kmip";
9f95a23c TL	15
	16	static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN = "token";
	17	static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT = "agent";
	18
	19	static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT = "transit";
	20	static const std::string RGW_SSE_KMS_VAULT_SE_KV = "kv";
	21
f67539c2 TL	22	static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv";
f67539c2 TL	23
9f95a23c TL	24	/**
	25	* Retrieves the actual server-side encryption key from a KMS system given a
	26	* key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp
	27	* Vault, but keys can also be retrieved from Ceph configuration file (if
	28	* kms is set to 'local').
	29	*
	30	* \params
	31	* TODO
	32	* \return
	33	*/
f67539c2 TL	34	int make_actual_key_from_kms(CephContext *cct,
	35	map<string, bufferlist>& attrs,
	36	std::string& actual_key);
	37	int reconstitute_actual_key_from_kms(CephContext *cct,
	38	map<string, bufferlist>& attrs,
9f95a23c TL	39	std::string& actual_key);
	40
	41	/**
	42	* SecretEngine Interface
	43	* Defining interface here such that we can use both a real implementation
	44	* of this interface, and a mock implementation in tests.
	45	**/
	46	class SecretEngine {
	47
	48	public:
f67539c2	49	virtual int get_key(std::string_view key_id, std::string& actual_key) = 0;
9f95a23c	50	virtual ~SecretEngine(){};
9f95a23c TL	51	};
9f95a23c TL	52	#endif