►
From YouTube: Keyhouse: Production-ready Key Management Service in Rust - Maxwell Bruce & Sergey Shekyan
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keyhouse: Production-ready Key Management Service in Rust - Maxwell Bruce & Sergey Shekyan, ByteDance
In this talk, Max and Sergey from ByteDance security team will share their experience of building a production-ready key management system using Rust. It uses Spire to establish mutual trust with the customers and other components, which adds up to the already unique combination of being the only OSS production-ready KMS written in Rust. The system is nearly self-contained, with the exception of the storage system, which is ETCD at the moment. Compared to go its predecessor which is written in Go, keyhouse uses much less memory and CPU cores to secure a large amount of user data. Keyhouse will be open sourced on Github very soon.
Acknowledgment:
We thank Yu Ding as a 3rd author. He will not be a presenter but he contributed significantly to keyhouse.
Yu Ding is a security researcher and engineer. His research interest is security issues around Intel SGX and building security-critical systems. He is a zealot of security oriented software development and dedicated to build a memory safe world.
A
Hi
everyone
we
will
be
talking
talking
about
key
house,
a
key
management
system,
that's
ready
for
production
and
we
work
for
a
company
called
by
dance.
It
was
founded
90,
roughly
nine
years
ago.
We
have
a
lot
of
products,
most
famous
one
is
tick
tock
and
a
couple
of
words
about
ourselves.
So
building
leads
trusted.
Computing
can
secure
coding
initiatives
at
by
dance
and
his
big
supporter
of
rust.
He
is
maintaining
apache
t
clave,
which
is
an
open
source,
universal,
secure
computing
platform
and
before
that
he
worked
at
baidu
on
similar
problems.
A
Max
who
is
with
us
today
is
a
very
quick
learner
and
he
is
the
primary
developer
on
key
house.
So
without
him
this
project
wouldn't
exist.
He
brings
his
rust
skills
and
like
in
general,
computer
science,
skills
and
security
skills
to
the
table
and
previously
max
worked
on
some
anti-automation
problems
and
me
sergey.
I
work
on
primarily
work
on
like
web
security
problems
and
which
includes
anti-automation
and
some
browser
security,
apis
and
so
on.
So
none
of
us
had
a
prior
key
management
system
development
experience.
So
that's
kind
of
more
interesting.
A
B
Yeah,
so
our
our
rust
deployment,
you
know
this
project
has
has
since
matured
at
bike
dance
and
we're
deployed
in
production
all
across
the
world.
Now
so
you
know
we
can
say
this
project
has
internally
been
a
success,
and
part
of
our
open
source
initiative
is
turning
this
into
a
success
for
everybody
else
yeah.
So
thanks
sergey
for
telling
us
stuff
about
why
rust.
So
I'm
max
I'll
be
going
into
some
of
the
design
considerations
in
key
house
so
starting
off
here
with
our
core
components.
B
Everything
in
keyhouse
is
designed
around
kind
of
like
a
monolith
kind
of
end
product.
In
that
you
know
you
ship,
like
just
one
service
out
that
provides
key
house,
and
then
you
you'd
balance
that
out
amongst
many
pods
or
or
whatever
it
would
be
horizontally
scaled,
but
just
one
category
of
service.
B
The
reason
being
is
just
minimizing
chances
of
failure,
minimizing
any
kind
of
like
potential
dependency
problems
and
just
overall
trying
to
maintain
as
much
simplicity
as
possible
because,
as
it
turns
out,
key
management
systems
tend
to
be
dependent
on
by
a
lot
of
critical
services.
We
really
really
need
that
top
reliability
and
that
top
top
like
just
reliability
and
redundancy,
so
we
just
don't
have
any
room
for
failure.
B
So
a
lot
of
our
design
considerations
go
with
that
in
mind,
and
with
that
in
mind,
as
a
monolith,
we
have
kind
of
like
two
halves
to
our
program.
So
we
have
our
data
plane,
which
is
what
our
sdks
talk
to,
and
then
we
also
have
our
control
plane,
which
is
what,
like
you
or
an
operator
administrator,
would
talk
to
to.
B
If
this
was
somebody
else's
open
source
project
and
we
have
all
the
specific
infrastructure
requirements
we
need
to
fulfill.
How
can
we
get
this
open
source
project
to
mesh
with
our
own
internal
systems?
And
so
we
tried
to
make
it
an
approach
so
that
we
could
both
answer
that
question
for
us,
but
also
answer
that
question
for
everybody
else,
and
so
that's
why
we
landed
this
kind
of
hot
swappable
system.
B
Also,
generally
speaking,
kms
key
house
we'll
also
be
talking
to
nhsm
hardware
security
modules,
a
hardware
to
trust
we'll
also
be
talking
about
that
more
later
on.
So
let's
talk
more
about
etcd,
so
etcd,
as
I
said
before,
it's
our
primary,
authoritative
backend
data
source
every
keyhouse
instance
talks
that
cd
all
the
time.
Of
course,
we
do
have
failure
like
prevention.
We
have
like
kind
of
failovers
in
place
and
stuff,
that's
all,
ultimately
up
to
how
you
want
to
deploy
things.
B
Consistency,
guarantees
very
persistent,
very
reliable
load
distribution,
but
it
is
distributed
like
generally
speaking,
you
plug
like
five
to
seven
nodes,
so
it's
relatively
scalable
for
what
we
need,
and
it
also
you
know
it's
also
relatively
easy
to
create
replicas
of
both
with
fcd
and
as
we'll
be
talking
about
right
now,
with
re-replicas
and
with
caching.
So
I
guess
in
the
last
slide,
I
talked
about
a
little
bit
here.
B
This
ends
up
being
a
kind
of
like
a
right
through
evictionless
cache
and
that,
due
to
the
the
generally
low
size
of
the
entire
data
set,
like
I
think,
our
entire
production
network,
you
know
it
doesn't
grow
above
a
couple
megabytes
for
every
you
know
encryption
key.
There
is
because
crypt
keys
just
aren't
that
big.
So
what
we
end
up
doing
is
we
actually
just
cache
everything
all
the
time
in
every
keyhouse
instance,
which
provides
amazing
like
failure,
you
know,
like
you
know,
just
handling
failures,
really
well.
Etsy
goes
down.
B
Key
house
just
keeps
trucking
like
it's
no
big
deal.
Of
course,
we
deny
any
rights
during
that
time,
but
and
that's
why
we're
right
through
is
to
deny
rights
when
that
cd
can't
confirm
anything
and
in
general,
key
house
actually
relies
a
lot
on
the
kind
of
consistency
guarantees
that
std
provides
in
order
to
synchronize
its
operations,
and
so
that's
a
it's
a
very
useful.
You
know
future
provided
by
fcd
and
yeah.
B
B
B
So
let's
talk
more
about
our
key
hierarchy,
so
in
general,
like
k,
key
house,
it
really
revolves
around
a
lot
about
envelope
encryption
and
we
also
put
a
lot
of
you
know:
effort
into
hardware
route
of
trust,
so
our
master
key,
generally
speaking,
is
stored
at
our
at
our.
In
our
you
know
our
hsm,
and
it
is,
you,
know,
really
hardened
down.
It's
in
you
know
a
lockdown
cluster
of
like
hsn
modules,
with
any
implementation
defined
like
backup
system
and
access
control
outside
the
keyhouse's
hands,
and
you
know
to
avoid.
B
Generally
speaking,
so
like
customer
keys,
as
our
number
one
example
we'll
talk
more
about
those
later,
but
those
are
really
like
our
meat
and
buns
and
that's
what
a
lot
of
like
access,
control
and
users
kind
of
interact
with
data
keys
are
what
we
use
an
sdk
level
to
it's
kind
of
like
the
end
use
key.
You
can
think
about
it.
That
way,
so
we
made
a
master
key.
B
These
are
generally
manually
rotated
by
any,
like
you
know,
presumably
have
some
kind
of
like
operation
in
place
to
to
create
a
new
master
key
internally,
and
then
you
would
just
have
keyhouse
updated
to
start.
You
know
migrating
all
of
the
existing
encrypted
customer
keys
and
intermediate
keys
around
this
new
master
key.
B
There
can
be
more
than
one
floating
around
due
to
the
way
that
keyhouse
migrates
customer
keys
when
we
rotate
intermediate
keys,
intermediate
keys
actually
get
stored
alongside
or
they
get
copied
alongside
customer
keys
encrypted
at
rest.
This
way
that
in
the
when
we
rotate
an
intermediate
key,
you
know
we
can
do
it
reliably
with
each
pod,
taking
an
arbitrary
chunk
of
those
customer
keys
and
re-encrypting
them,
with
new
intermediate
keys
in
a
highly
reliable
way,
taking
advantage
of
fcd's
consistency
to
coordinate.
B
So
our
customer
keys-
these
are
you
know,
are
real
meat
and
bones.
These
are
what
access
control
lists
live
on.
These
also
have
an
assigned
purpose
like
okay.
These
are
for
encrypting
secrets,
these
are
for
encrypting
data
and
they
never
leave
the
keyhouse
it's
kind
of
like
the
the
lowest
layer
key
that
is
in
key
house
server
itself.
Generally
speaking,
what
happens
with
these
keyholes?
These
customer
keys
is
an
administrator
goes
through,
creates
one
sets
an
access
control
list,
and
then
we
get
to
the
data
key.
B
So
what
happens
is
if
you
think
about
it.
From
the
sdk
perspective,
sdk
wants
to
encrypt
some
data.
Sdk
requests
a
data
key
from
keyhouse
keyhouse
uses
an
a
one,
a
one
time,
password
scheme
kind
of
like
two
factor
authentication
to
generate
a
data
key
for
a
given
day
to
make
caching
a
much
more
reasonable
thing
to
do,
because
we
want
to
keep
the
number
of
data
keys
floating
around
for
a
given
time
period
low.
B
Generally
speaking,
we
do
one
data
key
per
day
per
customer
key,
and
so
what
keyhouse
will
do
is
it'll
return.
The
encrypted
data
key
an
envelope
encrypted
by
the
customer
key
and
the
unencrypted
data
key
to
the
sdk,
which
will
then
encrypt
the
original
payload
and
store
alongside
the
encrypted
data
key
alongside
it,
along
with
metadata
that
tags
it
along
to
its
owning
customer
key
and
yeah.
It's
you
know,
ends
up
being
this
really
clean
implementation,
where
the
data
never
gets
sent
to
keyhole.
B
So
it
minimizes
your
bandwidth
usage,
but
we
also
avoid
sending
the
customer
key
to
the
client
and
also
minimizing
the
number
of
requests
upstream
to
keyhouse.
This
also
provides
us
a
lot
of
redundancy,
so
in
the
event
that
the
keyhole
server
is
down,
if
the
sdk
can't
fetch
another
data
key,
I
mean
it's
not
great,
but
you
know
you
can
have
some
leeway
where
like
say,
we
try
to
fetch
a
new
data
key
every
six
hours,
but
if
it
fails
well,
we
can
wait
another
six
hours.
B
B
So
we
talked
a
little
bit
about
this
before
but
secrets.
So
not
everything
can
really
fit
into
the
neat
box.
That
is
like
a
customer
key
data,
key
setup.
So
say
you
have
some
persistent
key.
You
need
to
use
for
some
other
purpose.
Like
a
you
know,
an
hmac
key,
an
immutable
private
key
for
some
pki
stuff,
some
credentials
for
some
sensitive
service.
B
You
know
you
can
store
these
in
a
keyhouse
secret
and
they
get
stored
in
that
cd
buy
a
data
key
that
doesn't
leave
key
house
in
a
given
customer
key.
That's
the
that
is
mutually
exclusively
assigned
to
only
be
able
to
encrypt
secrets,
and
not
other
data
will
be
able
to
have
any
number
of
these
associated
with
it.
B
B
So
you
know,
we
talked
a
little
about
operators
and
how
we're
using
access
controllers
to
the
customer
level.
This
is
kind
of
like
a
full
diagram
of
what
authorization
looks
like
in
keyhouse.
So
you
have
some
administrator.
You
know
they
have
access
through
some
implementation
defined
mechanism,
you
know
say
like
sso
or
whatever
they
have
ownership
of
some
set
of
keyrings
or
access
to
some
sort
of
keyrings,
and
then
each
keyring
had
uniquely
owned
some
number
of
customer
keys
under
it.
B
Like
I
said
before,
it's
a
grouping,
then
each
customer
key
has
its
own
unique
access,
control
lists
which
define
how
it
works
at
the
data
plane
level,
and
so
the
operators
can
then
go
into
customer
keys.
They
have
indirect
control
of
and
set
up
a
access
control
to
whatever
spiffy
authenticated
entities
like
service
person,
whatever
your
spiffy
ids
represent
and
can
set
it
up
to
so
they
have
whatever
specific
access
is
necessary,
reading
secrets,
writing
secrets,
encrypting
data,
etc.
B
So
next
steps-
currently
he
house,
is
not
open
source.
However
we're
working
to
open
source
it
now,
we've
been
working
with
some
security.
Vendors
to
you
know,
make
sure
everything's
tip-top
shape
and
we're
also
working
to
open-source
our
spire
workload
project
inspire
proxy
as
well,
which
is
mostly
just
an
offshoot
of
spyware
club
and
yeah
those
we
expect
those
to
be
open
source
in
the
next
few
months.
B
We
also
want
to
increase
the
number
of
integration
for
generic
or
open
source
implementations
of
various
components
of
keyhouse,
say
like
different,
open
source
metric
servers
like
log
different
ways
to
to
gobble
up
logs
control,
plane
authorization
schemes,
perhaps
team,
different
background
stores.
So
just
maximizing
our
kind
of
like
ready
to
go
on
a
lot
of
different
open
source,
more
open
source
stacks,
and
also
we
want
to
add
support
for
asymmetric
keys
right
now.
B
B
You
can
sort
as
a
secret,
but
like
say
automatic
rotation
or
setting
up
pki
infrastructures
is
not
something
currently
innately
supported
by
keyhouse.
As
some
special
feature
like
we
have
for
customer
keys,
it
fits
in
pretty
well,
but
we
just
haven't
implemented
that
it's
not
something
we
want
to
add
in,
but
yeah
in
general.
A
lot
of
our
design
decisions
have
been
primarily
motivated
by
what
we
need
to
get
this
rolling
inside.