-
Notifications
You must be signed in to change notification settings - Fork 109
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5196 from oasisprotocol/peternose/feature/master-…
…keys-forward-secrecy keymanager/src/runtime: Support master secret rotations
- Loading branch information
Showing
65 changed files
with
4,364 additions
and
1,391 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
keymanager/src/runtime: Support master secret rotations | ||
|
||
Key managers now have the ability to rotate the master secret | ||
at predetermined intervals. Each rotation introduces a new generation, | ||
or version, of the master secret that is sequentially numbered, starting | ||
from zero. These rotations occur during key manager status updates, which | ||
typically happen during epoch transitions. To perform a rotation, | ||
one of the key manager enclaves must publish a proposal for the next | ||
generation of the master secret, which must then be replicated by | ||
the majority of enclaves. If the replication process is not completed | ||
by the end of the epoch, the proposal can be replaced with a new one. | ||
|
||
The following metrics have been added: | ||
|
||
- `oasis_worker_keymanager_consensus_ephemeral_secret_epoch_number` | ||
is the epoch number of the latest ephemeral secret. | ||
|
||
- `oasis_worker_keymanager_consensus_master_secret_generation_number` | ||
is the generation number of the latest master secret. | ||
|
||
- `oasis_worker_keymanager_consensus_master_secret_rotation_epoch_number` | ||
is the epoch number of the latest master secret rotation. | ||
|
||
- `oasis_worker_keymanager_consensus_master_secret_proposal_generation_number` | ||
is the generation number of the latest master secret proposal. | ||
|
||
- `oasis_worker_keymanager_consensus_master_secret_proposal_epoch_number` | ||
is the epoch number of the latest master secret proposal. | ||
|
||
- `oasis_worker_keymanager_enclave_ephemeral_secret_epoch_number` | ||
is the epoch number of the latest ephemeral secret loaded into the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_master_secret_generation_number` | ||
is the generation number of the latest master secret as seen by the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_master_secret_proposal_generation_number` | ||
is the generation number of the latest master secret proposal loaded | ||
into the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_master_secret_proposal_epoch_number` | ||
is the epoch number of the latest master secret proposal loaded | ||
into the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_generated_master_secret_generation_number` | ||
is the generation number of the latest master secret generated | ||
by the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_generated_master_secret_epoch_number` | ||
is the epoch number of the latest master secret generated by the enclave. | ||
|
||
- `oasis_worker_keymanager_enclave_generated_ephemeral_secret_epoch_number` | ||
is the epoch number of the latest ephemeral secret generated by the enclave. | ||
|
||
The following metrics have had runtime labels added: | ||
|
||
- `oasis_worker_keymanager_compute_runtime_count`, | ||
|
||
- `oasis_worker_keymanager_policy_update_count`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.