// Copyright 2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package stet.proto; option go_package = "github.com/GoogleCloudPlatform/stet/proto/config_go_proto"; enum DekAlgorithm { UNKNOWN_DEK_ALGORITHM = 0; AES256_GCM = 1; } message AsymmetricKey { enum Algorithm { UNKNOWN_ALGORITHM = 0; RSA = 1; } string fingerprint = 1; // The algorithm of the keypair. Algorithm algorithm = 2; } message KekInfo { oneof kek_type { // The URI of the Key Encryption Key. string kek_uri = 1; // The SHA-256 fingerprint of the DER-encoded public key corresponding to // an RSA keypair generated for the purposes of offline share encryption. // // Can be generated from a private key PEM with the following command: // $ openssl rsa -in test.pem -pubout -outform DER | \ // openssl sha256 -binary | openssl base64 string rsa_fingerprint = 2; } } message ShamirConfig { // Number of shares needed to reconstitute the secret for Shamir's Secret // Sharing. int64 threshold = 1; // Total number of shares to split the secret into for Shamir's Secret // Sharing. int64 shares = 2; } message KeyConfig { // Information about the Key Encryption Key. repeated KekInfo kek_infos = 1; // The algorithm used to generate the Data Encryption Key. DekAlgorithm dek_algorithm = 2; // The algorithm used to split the DEK into shares. oneof key_splitting_algorithm { // No splitting of the DEK (effectively a 1-of-1 encryption scheme). bool no_split = 3; // Shamir's secret sharing, supporting k-of-n encryption schemes. ShamirConfig shamir = 4; } } // Top-level config object for the STET binary. message StetConfig { EncryptConfig encrypt_config = 1; DecryptConfig decrypt_config = 2; AsymmetricKeys asymmetric_keys = 3; // Specifies fields for running in Confidential Space. Optional. ConfidentialSpaceConfigs confidential_space_configs = 4; } message EncryptConfig { // The key config to encrypt with. KeyConfig key_config = 1; } message DecryptConfig { // The set of KeyConfigs that are known to the client. The decryption logic // will look to figure out which KeyConfig matches the hashed config_id. repeated KeyConfig key_configs = 1; } message AsymmetricKeys { // A list of paths to PEM-encoded public keys corresponding to any // AsymmetricKey messages specified in a KekInfo for encryption. repeated string public_key_files = 1; // A list of paths to PEM-encoded private keys corresponding to any // AsymmetricKey messages specified in a KekInfo for decryption. repeated string private_key_files = 2; } // The metadata needed to store alongside encrypted data. message Metadata { repeated WrappedShare shares = 1; string blob_id = 2; KeyConfig key_config = 3; } // Represents a wrapped share and its unwrapped SHA-256 hash. message WrappedShare { // The bytes of the wrapped share. Required. bytes share = 1; // The SHA-256 hash of the actual (unwrapped) share. Required. bytes hash = 2; } enum CredentialMode { DEFAULT_ENCRYPT_AND_DECRYPT_MODE = 0; ENCRYPT_ONLY_MODE = 1; DECRYPT_ONLY_MODE = 2; } message KekCredentialConfig { // A regex pattern representing the key URIs this config should be used to // access. Required. string kek_uri_pattern = 1; // Identifier of the credential config WIP. Should be of the format // "projects/*/locations/*/workloadIdentityPools/*/providers/*". Required. string wip_name = 2; // Email of the credential config service account. Optional. string service_account = 3; // Indicates whether this credential config is used for encryption and/or // decryption. Defaults to ENCRYPT_AND_DECRYPT. CredentialMode mode = 4; } message ConfidentialSpaceConfigs { // A list of KekCredentialConfigs representing available credentials for // accessing KEKs. Required. repeated KekCredentialConfig kek_credentials = 1; }