airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] wwlian commented on issue #3805: [AIRFLOW-2062] Add per-connection KMS encryption.
Date Fri, 07 Sep 2018 21:28:31 GMT
wwlian commented on issue #3805: [AIRFLOW-2062] Add per-connection KMS encryption.
URL: https://github.com/apache/incubator-airflow/pull/3805#issuecomment-419570620
 
 
   @bolkedebruin @gerardo @Fokko I understand the concerns that this change might be coupled
too tightly to Google Cloud KMS. However, I want to second @jakahn's assurance that this design
is agnostic to the key management service being used. 
   
   The only opinionated design included here is that encryption will be performed using the
envelope encryption pattern, which is a widely-recognized pattern by [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping),
[Google Cloud KMS](https://cloud.google.com/kms/docs/envelope-encryption), and [Azure Key
Vault](https://docs.microsoft.com/en-us/azure/storage/common/storage-client-side-encryption#encryption-and-decryption-via-the-envelope-technique).
   
   To add to what @jakahn said re: embedding kms_conn_id and kms_extras in the existing _extra
column, doing so would create a chicken and egg problem, as their values are needed to decrypt
the _extras column.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message