1 // -*- mode:C; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
5 * Server-side encryption integrations with Key Management Systems (SSE-KMS)
13 static const std::string RGW_SSE_KMS_BACKEND_TESTING
= "testing";
14 static const std::string RGW_SSE_KMS_BACKEND_BARBICAN
= "barbican";
15 static const std::string RGW_SSE_KMS_BACKEND_VAULT
= "vault";
16 static const std::string RGW_SSE_KMS_BACKEND_KMIP
= "kmip";
18 static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN
= "token";
19 static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT
= "agent";
21 static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT
= "transit";
22 static const std::string RGW_SSE_KMS_VAULT_SE_KV
= "kv";
24 static const std::string RGW_SSE_KMS_KMIP_SE_KV
= "kv";
27 * Retrieves the actual server-side encryption key from a KMS system given a
28 * key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp
29 * Vault, but keys can also be retrieved from Ceph configuration file (if
30 * kms is set to 'local').
36 int make_actual_key_from_kms(const DoutPrefixProvider
*dpp
, CephContext
*cct
,
37 std::map
<std::string
, bufferlist
>& attrs
,
38 std::string
& actual_key
);
39 int reconstitute_actual_key_from_kms(const DoutPrefixProvider
*dpp
, CephContext
*cct
,
40 std::map
<std::string
, bufferlist
>& attrs
,
41 std::string
& actual_key
);
44 * SecretEngine Interface
45 * Defining interface here such that we can use both a real implementation
46 * of this interface, and a mock implementation in tests.
51 virtual int get_key(const DoutPrefixProvider
*dpp
, std::string_view key_id
, std::string
& actual_key
) = 0;
52 virtual ~SecretEngine(){};