feat(kms-app): add vault-transit backend (direct + envelope modes)#19
Open
coderdan wants to merge 1 commit into
Open
feat(kms-app): add vault-transit backend (direct + envelope modes)#19coderdan wants to merge 1 commit into
coderdan wants to merge 1 commit into
Conversation
HashiCorp Vault Transit backend for the comparison harness, selected via ENCRYPTION_BACKEND=vault-transit. Two modes: - direct (default): plaintext -> Vault -> ciphertext in one batched round-trip (Vault, unlike AWS KMS, has a batch API). VAULT_TRANSIT_DERIVED=true uses a per-record context for per-record keys. - envelope: Vault datakey + local AES-256-GCM, so plaintext stays client-side. VAULT_DATA_KEY_MAX_USES controls reuse. datakey has no batch (per-record keys = one round-trip per record on write), but reads unwrap all distinct keys in ONE batched decrypt -- so scattered reads don't collapse to one call per record the way AWS KMS envelope does. Smoke-tested end-to-end against Vault 1.20 dev across all four configs (round-trips correct; kmsCalls instrumentation verified).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a HashiCorp Vault Transit backend to the comparison harness, selected via
ENCRYPTION_BACKEND=vault-transit. Supports the Vault comparison (CIP-3290) and fills the performance section of docs#34.Modes
VAULT_TRANSIT_DERIVED=trueuses a per-recordcontextfor per-record keys. Catch: plaintext transits Vault.datakey+ local AES-256-GCM, so plaintext stays client-side.VAULT_DATA_KEY_MAX_USEScontrols reuse.datakeyhas no batch (per-record keys = one round-trip per record on write), but reads unwrap all distinct keys in one batcheddecrypt— so scattered reads do not collapse to one call per record the way AWS KMS envelope does.Verification
Smoke-tested end-to-end against Vault 1.20 dev across all four configs — round-trips correct,
kmsCallsinstrumentation verified:Note
This branches off
main(PR #18, the harness, is already merged). The in-region benchmark run that produces published numbers is tracked separately under CIP-3290.Part of CIP-3290 (issue stays open until the doc, backend, and in-region run all land)
https://claude.ai/code/session_018ag38k33yzmVZhLkVx7CPQ