cmd/kes: add support for migrating keys to minkms

This commit adds support for migrating keys to minkms via the `kes migrate` command. Migrating all keys of a KES backend to a MinKMS server can be done as following: ``` kes migrate --from src-config.yml --server 127.0.0.1:7373 --enclave minio --api-key k1:... ``` Currently, this implementation has the following limitations: - The HMAC key is not migrated. This requires support from MinKMS. However, HMAC keys are not used for S3 object encryption and have been added to KES recently. - Ciphertexts produced by KES cannot be decrypted auto. because they lack the key version prefix (e.g. 'v1:'). Future KES servers may use ciphertexts with key versions and MinKMS may accept a ciphertext without one. Signed-off-by: Andreas Auernhammer <[email protected]>
minio · Jun 6, 2024 · 1496415 · 1496415
1 parent fe54489
commit 1496415
Show file tree

Hide file tree

Showing 8 changed files with 221 additions and 192 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.22.2
+        go-version: 1.22.4
         check-latest: true
       id: go
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Build and Lint
       env:
         GO111MODULE: on
@@ -32,17 +32,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Set up Go"
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
         id: go
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
-          args: --config ./.golangci.yml --timeout=2m
+          args: --config ./.golangci.yml --timeout=5m
   test:
     name: Test ${{ matrix.os }}
     needs: Lint
@@ -52,13 +52,13 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.22.2
+        go-version: 1.22.4
         check-latest: true
       id: go
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Test
       env:
         GO111MODULE: on
@@ -70,14 +70,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.21.9, 1.22.3]
+        go-version: [1.21.11, 1.22.4]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Get govulncheck
       run: go install golang.org/x/vuln/cmd/govulncheck@latest
       shell: bash

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
           check-latest: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -30,4 +30,4 @@ jobs:
         uses: goreleaser/goreleaser-action@v3
         with:
           version: latest
-          args: release --skip-publish --skip-sign --clean --snapshot --skip-before
+          args: release --skip=publish,sign,before --clean --snapshot
diff --git a/cmd/kes/main.go b/cmd/kes/main.go
@@ -71,7 +71,7 @@ func main() {
 		"status": statusCmd,
 		"metric": metricCmd,
 
-		"migrate": migrateCmd,
+		"migrate": migrate,
 		"update":  updateCmd,
 	}