-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Rust protections for the private keys #4513
Comments
Manually zeroing out memory is actually quite hard, because the compiler will probably optimize it away. We should look for some off the shelf solution to that problem, e.g. https://crates.io/crates/zeroize seems to solve that. |
Yes, we should replace all instances where we implement |
As an addition, we should probably also use |
This PR: - Merges `oak_crypto::encryptor::EncryptionKeyProvider` and `oak_crypto::hpke::KeyPair` into `oak_crypto::encryption_key::EncryptionKey` - Implements serialization/deserialization - Implements encryping the private key for Key Provisioning. - Removes public keys from `EncryptionKey` struct (it's only used to be put into the evidence) Ref #4513
Currently our abstractions have to expose the private keys in order to:
Instance
key to decrypt theGroup
key that was received via Key ProvisioningFor example we have the following functions that expose the private key
instance_encryption_key
andget_private_key
.We need to implement an abstraction for private keys that:
drop()
Though we also don't want to reimplement Tink.
We also currently have 2 abstractions for the Encryption Private Key:
oak/oak_crypto/src/encryptor.rs
Lines 35 to 37 in 28b91c9
oak/oak_crypto/src/hpke/mod.rs
Lines 47 to 50 in 28b91c9
We need to merge these implementations into one
EncryptionKey
, and keep it a low level abstraction, since enclave applications don't need to use it.The text was updated successfully, but these errors were encountered: