►
From YouTube: WG KMS Bi-Weekly Meeting for 20220308
Description
WG KMS Bi-Weekly Meeting for 20220308
A
Hey
everyone:
this
is
kms
meeting
number
nine
for
march
8
2022..
So,
let's
see
I
think
christoph
has
things
he's
been
working
on,
which
has
things
he's
been
working
on
being
real?
Also
things
you
want
to
talk
about
stuff,
I
think
we
can
start
with
you
kristoff.
If
you
want
to
talk
about
what
you've
been
looking
at.
B
Yes,
so
we
discussed
a
lot
of
topics
about
a
potential
reference
implementation
for
kms
and
how
it
could
look
like.
So
I
had
a
couple
of
days
so
two
days
to
work
on
it,
so
I
used,
as
I
mentioned,
the
google
think
library,
to
make
this
the
layout
keys.
So
we
have
now
a
kind
of
an
intermediate
which
I
call
just
check
and
the
root
key
that
comes
from
the
kms
on
hms.
B
B
Had
the
question
where
we
would
like
to
start,
but
I
didn't
remember
what
the
answer
was
that
we
gave
to
her
like
a
month
ago
and
yes,
I
also
worked
on
the
pixel
11,
the
api,
that's
called
cryptokey
and
try
to
break
down
the
the
wrapper
around
the
c
library
into
something
sane,
because
it's
it's
very
bare.
So
I
try
to
split
up
and
look
and
have
a
token
logic
and
the
cryptologic
on
top
of
it.
B
A
So
so,
when
okay,
so
local
tech
is
the
key
encryption
key
that
is
encrypted
using
these,
the
real
kms's
key
encryption
key
right,
but
it's
it
basically
the
remote
kms
does
one
encryption
call
for
this
key
encryption,
key
this
location
key
and
then
all
the
other
encryption
calls
are
handled
by
the
locals
and
kristoff.
The
question
is:
where
do
I
put
this
local
key
encryption
key
in
an
encrypted
state
right?
Where
do
I
store
it
in
its
encrypted
form,
right
right.
A
B
So
the
rotation
is
already
there
and
also
the
counter
is
there.
But
the
question
is
where,
for
example,
west
or
the
the
the
things
beyond
the
key
right,
so
it
would
be
a
whole
whole
object.
I
just
defaulted
now
to
gob
the
the
golang
globe,
go
binary
format,
which
is
pretty
straightforward,
but
I
guess
we
would
like
to
move
to
protobuf,
but
again
it.
I
was
just
writing
down
in
two
days
hoping
to
get
as
much.
A
Understand
correctly,
when
so
the
kuru,
the
kubernetes
api
server,
when
it
does
the
grpc
encryption
call,
it
passes
you
a
data,
encryption
key
and
you
will
encrypt
the
data
encryption
key
that
was
passed
in
using
this
local
keck
and
respond
with
this
structure
as
bites
as
a
bite
array
for
storage
purposes.
Right.
D
Yeah,
I
think
so
as
part
of
the
request
that
we
get
from
the
api
server
to
the
kms
plugin.
The
plain
text
is
actually
the
deck
right.
So
today
we
already
returned
the
encrypted
deck
back
to
the
api
server.
So
in
addition
to
that,
at
least
with
the
approach
that
I'm
doing,
I'm
also
returning
the
encoded
kick
encrypted.
Kick
so
that
so
there
are
two
things
we
are
returning
the
encrypted
deck
and
then
the
encrypted
kick
and
basically
using
the
protobuf.
We
store
all
of
this
in
hcd
and
then
for
a
decrypt
call.
A
Yes,
so
the
idea
would
be
is
in
memory
this.
This
kms
plug-in
might
have
many
local
techs
that
it
has
cached,
but
it
will
only
have
one
local
keck
that
it's
using
to
do
rights
with
and
that
one
it
maintains
an
in-memory
counter.
It
does
not
need
to
send
the
counter
to
the
api
server
right.
It's
just
going
to
keep
it
in
memory.
If
it
gets
restarted.
It's
fine
I'll
just
make
a
new
keck
and
restart
its
counter.
A
A
So
I
think
the
counter
implementation
is
pretty
easy,
which
is
basically
just
increment
the
in-memory
counter
for
your
right,
your
right,
keck,
and
once
it
reaches
some
arbitrary
number,
like
a
thousand
some
smallish
number
that
seems
reasonable,
but
better
than
one
you
just
you
just
throw
it
away
and
you're
like
cool.
I'm
done
with
that
one.
I'm
gonna
make
a
new
one
and
you
know
there
had
there.
A
B
B
B
A
C
A
I
would
probably
expect
us
to
like
like
like
this
thing.
I
would
expect
to
probably
make
a
nice
diagram
describing
where
all
the
keys
are
and
like
I
like
that,
you
named
everything.
I
think
that
will
be
very
important
when
trying
to
explain
this
to
anyone
else,
because
they'll
be
like
what
are
you
talking
about,
because
we,
because
the
keck
and
local
keck,
all
those
are
just
a
little
bit
ambiguous.
We
like
need
to
basically
say
api
server.
A
E
C
A
A
B
B
I
see
yeah,
so
I
I
calculated
it
so
that
was
a
taylor
polynomial
about
the
birthday
problem
and
do
you
end
up
with
nearly
impossible,
so
it
was
as
good
as
the
encryption
itself,
the
probability
to
what
a
basically
a
double
hit
and
when
you
have
2.
2
to
the
power
of
21..
So
this
is
sort
of
probability
that
you
will
have
and
non
used
twice
would
would
be.
The
probability
would
be
really
really
low.
B
A
Okay,
yeah
so
yeah,
so
the
more
rights
you
allow
with
the
local
keck,
the
better
performance
you
get
out
of
your
plug-ins
because
they
don't
have
to
do
this
handshaking
as
much
right
they.
Basically
you
know
the
the
remote
kms
is
being
used
as
this
synchronization
agent
effectively
like.
If
the
other
instances
see
your
key,
they
basically
have
to
ask
the
leader,
because
they're
kind
of
like
the
followers
like
hey
leader,
tell
me
how
to
keep
doing
my
job,
because
some
other
follower
basically
made
a
decision.
D
Yeah,
so
I've
made
very
small
modifications
right
now.
So
if
we
look
at
the
decrypt
request
so
I've
before
we
had
the
version
and
the
cipher.
So
in
addition
to
that
now,
I'm
adding
a
uid
which
is
for
the
observability
purposes
that
we
talked
about
and
then
the
bytes
key
is
basically
the
encoded
kick
that
we
are
storing
in
lcd.
D
But
if
we
decide
to
do
some
kind
of
validation
in
the
future
for
auto
rotation,
we
can
do
that.
So
that's
for
the
decrypt
request
and
the
decrypt
response
and
for
the
encrypt
request.
We
only
because
it's
a
whole
new
encryption.
We
only
have
the
new
string
uid
field
for
the
observability
and
in
the
in
the
encrypt
response.
A
Yeah
cool,
so
the
question
I
wanted
to
ask
this
group
is
so
did
this
seems
if
we
ignore
anything
related
to
the
whole?
I
guess
this,
it
might
not
matter
for
this.
I
don't.
I
know
we
had
conversations
about
gcm
and
cbc.
I
guess
I
don't
know
if
they
even
surface
in
this
api,
but
the
question
I
have
for
this
group
is:
would
we
want
an
api
like
this?
A
That
way,
it's
not
like.
You
know
this
is
a
set
of
bytes,
so
it
could
literally
be
any
encoded
structure
that
the
kms
wanted
it's
more
of.
Do
we
want
to
facilitate
or
encourage
a
nicer
structure
than
just
like
a
set
of
bites
and
I'll
give
you
back
the
bikes
that
you
originally
gave
me,
but
you're
responsible
for
all
the
decoding
and
do
whatever
it
is
just
thinking.
D
Yeah,
that
might
be
useful.
I
I
mean
I
don't
know
in
which
scenario
they
might
want
it,
but
I
actually
having
that
right
from
the
start
would
definitely
be
something.
That's
useful,
like
a
key,
is
probably
one
thing
that
they
have,
but
apart
from
that,
if
they
want
to
have
some
other
metadata,
like
you
said
like
which
keyword
they're
talking
to
or
anything
which
could
be
useful
for
them
for
maintaining
the
state,
then
I
I
think
that'll
be
really
useful.
D
A
I
mean,
I
don't
think
we
would
conceptually
try
to
limit
this
field
right.
So
I'm
not
sure
we
conceptually
we
want
to
limit
the
metadata
field
either
like
like
the
kms
plug-in,
is
effectively
a
root
authority
on
your
environment.
Right,
it's
it's
it's.
It
might
not
be
seeing
the
raw
unencrypted
data,
but
if
it
ever
encountered
the
encrypted
data
it
could
decrypt
all
of
it
if
it
wanted
to
right.
So
it
is
a
pretty
privileged
actor
within
your
system.
A
A
C
A
Only
like,
like
you're
like
really
starting
to
like
use
up
the
storage
space,
that's
available
for
the
actual
data,
so
we
could
do
that
yeah,
but
yeah.
I
was
thinking
along
the
lines
of
like
you
know
if
you
had
a
plug-in
that
wanted
to,
even
if
it
didn't
need
all
the
state
itself,
if
we
just
wanted
to
make
it
super
trivial
to
like
an
operator
that
hey
like.
I
am
like
this
plug-in
at
this
version
using
this
key
vault
and
this
configuration
I'm
just
shoving
it
in
as
just
metadata.
A
So
that
way
like,
if
you
happen
to
find
this
encrypted
data,
you
have
like
a
really
good
idea
what
it
is
so
that
way,
if
you
want,
if
you
have
capabilities
of
getting
the
keys
like
you
know,
everything
is
there
just
just
just
to
basically
encourage
ease
of
sort
of
data,
migration
or
data
recovery.
Where
you
have
access
to
the
keys
and
you
don't
you
don't
need
to
like
somehow
know.
A
Oh,
this
is
like
a
json
structure,
that's
embedded
within
the
protobuf,
and
if
I
decode
it
this
way,
this
is
what
the
keys
are,
and
just
this
is
a
thought.
I'm
just
trying
to
think
of
how
how
we
can
like,
like
the
negative
of
what
I'm
saying,
is
if
we
sort
of
give
plugins
a
free-for-all.
Well,
they
can
kind
of
do
anything
and
there's
no
standardization
right.
D
Yeah,
I
think
the
standardization
is
a
good
point
like
because
there
is
it
everything.
The
data
is
going
to
look
different
for
every
different
provider,
but
also
accessing
that
data
is
not
something
that's
going
to
happen,
that
commonly
right,
like
at
least
the
way
we're
trying
to
do
it.
It's
not
that
someone's
going
to
get
that
data
from
fcd,
try
and
decrypt
it
and
look
at
it.
So
that's
not
going
to
happen
so
having
it
kms
plug-in.
D
Specifics
should
still
be
fine,
but
I
do
like
that
idea
like
just
having
traditional
metadata,
and
I
think
that
also
my
this
discussion
might
come
in
handy
when
we
talk
about
the
latest,
because
I
think
we
were
talking
about
how
the
user
can
see
the
storage
migration
is
done
right
and
then
you
mentioned
that
we
will
expose
that
to
the
user.
So
if
this
is
something
that
we
expose,
then
maybe
users
have
access
to
it.
A
A
If
you,
if
you,
if
you
wanted
to
use
it
as
a
easy
way
to
borrow,
you
know
like
sorry
from
something
if
you
wanted
to
borrow
the
the
shim
layer
right
that
basically
bridges
the
grpc
api
right
so
like
there's,
there's
a
bunch
of
like
abstraction
layers
already
in
there
that
you
could
just
kind
of
borrow
and
stick
in
the
your
your
code,
so
you
don't
have
to
write
it
all
from
scratch.
If
you,
if
you
didn't
want
to
like
this
already,
has
the
grpc
bits
implemented
and
it'd
be
very.
A
B
A
D
D
I
think
we
did
talk
about
the
general
idea
of
what
I
am
implementing,
where
we
are
sending
the
encrypted
get
back
and
then
using
that,
and
I
think
all
of
us
agree
that's
what
we
want
to
do
so
that's
good
and
then,
in
terms
of
the
topics
here
I
think
we've
pretty
much
covered
all
of
it,
and
I
know
we
did
talk
about
option
to
choose
encryption
protocol
in
the
last
cigar
meeting.
So
maybe
we
can
just
summarize
that
and
before
we
go
to
the
next
topic,.
A
My
understanding
was
yes,
defaulted,
gcm
and
it
seems
like
a
good
idea
to
be
explicit
and
include
that
within
the
storage,
so
that
you
that
you
were
doing
that.
That's
the
cipher
that
you're
using
and
we
don't
need
to
expose
configuration
about
this
right
now
we
can.
You
can
defer
that
to
if
it's
necessary,
but
basically
go
ahead
and
build
the
plumbing
to
allow
such
a
configuration
to
be
easily
added
like.
C
A
A
C
D
C
D
C
I
mean
initial
thought
was.
That
was
a
good
idea,
because
then
users
don't
have
to
think
about
it.
But
for
some
reason
I
guess
like
I
was
kind
of
thinking
back
to
like
in
production.
A
lot
of
companies
would
want
to
know
exactly
what
happened
when
and
having
something
as
late
as
is
hard
to
track,
because
at
least
in
some
of
the
kms's
like
when
you
say
I
want
to
create
a
new
latest
or
whatever.
That's
just
literally
whatever
was
the
auto-generated
key
right.
C
So
it's
it's
not
something
that
the
user
explicitly
provide
and
thinking
back
on
how
you
do
roll
back
and
roll
forth
like
how
I
don't
know
how
that
will
impact
something
like
that,
because
latest
is
not
predictable,
but
I
agree
if,
if
we
can
track
it
in
scd,
that
kind
of
helps,
but
again
I'm
not
sure
how
that
can
be
visible
outside
of
scd.
If
I'm
an
operator
and
I'm
I
don't
have
access
to
that,
how
would
I
even
know
which
version
I'm
like
that
particular
key
is
on.
A
Yeah
all
right,
so
I
I
think
so
there's
a
few
things
there
right
like
so
I
I
suspect
that
this
this
idea
of
using
latest
versus
pinning
to
a
particular
key
or
whatever,
I
think,
ends
up
being
some
kind
of
configuration
to
the
kms
plugin
like
our
reference
implementation
right.
So
I
think
we
would
give
you
the
choice
as
your
configuration
right,
it's
more
in
my
head.
What
I
want
to
see,
if
we
can
make
technically
possible,
is
the
capability
of
using
something
like
natives,
not
enforcing
that.
You
followed
that
as.
C
A
C
C
A
C
I
I
get
exactly
why
you're
asking
this
and
I
see
the
value
of
it
and
I
think
it's
super
nice
for
like
an
operator
not
having
to
worry
about
or
keeping
track
of,
the
key
version
even
right,
but
but
then
there's
like
when
things
go
wrong.
I
want
to
go
back
to
it.
How
would
I
even
know
which
version
I
was
using
or
the
the
plugin
was
using,
and
that
makes
it
really
difficult.
I
think.
A
Yeah,
I
think
this
is
where
initially
mentioned.
You
know
that
you
know
if
you
had
extra
metadata
within
like
if
first
you
have
to
have
extra
metadata
somewhere
for
the
plug-in
to
tell
you
this
information
and
that's
you
know,
step
one
you're
actually
storing
this
somewhere
and
then
the
other
step
would
be
like
okay.
I
am
now
storing
metadata
about
what
the
plugin
knew
about
its
state
of
the
world.
When
it
did
this
encryption
for
me
once
you
have
that,
then
you
can
be
like
all
right.
C
A
I
guess
so
I
I
still
don't
have
a
good
grasp
of
the
cloud
kms's
and
their
api
capabilities
could
could
a
user
like
say
I
wanted
say.
I
wanted
basically
something
like
latest,
but
I
wanted
it
in
a
more
controlled
manner.
So
I
wanted
to
say:
hey
kms
plugin.
I
want
you
to
use
what
I
currently
call
the
right
key
as
your
key
right
and
basically
when
I
want
a
rotation
to
happen,
I
create
a
new
key
in
the
kms
and
once
I'm
I'm
ready
for
the
rotation
to
occur.
I
tell
my
cloud
kms
hey.
A
A
A
This
is
the
key
I
want
use
and
then
also
then
express
a
change
of
which
key
is
going
to
be
used.
So
that
way
you
get
kind
of
the
best
of
both
worlds
right,
which
is
that
you
can
say
just
use
the
right
key,
that's
the
one
I
want
to
use
and
you
just
allow
a
configuration
change
in
cloud
kms
to
explicitly
be
an
opt-in,
saying,
yeah.
I
created
this
key
and
I
did
oh
and
I
realized
oh,
that
was
the
wrong
time.
I
just
went
and
deleted
it
doesn't
matter.
C
C
D
A
A
The
thing
change
and
I'm
not
expecting
that
what
I'm
more
saying
is,
can
I
express
a
static
configuration
in
my
kms
plugin
config
that
can
be
dynamically
interpreted
within
the
cloud
tms.
So
that
way
I
can
use
the
cloud
kms
to
orchestrate
the
change
and
not
the
encryption
config.
That's
a
file
right.
Like
basically
can
I
use
the
thing
that
already
has
the
rest
api
dynamically
instead
of
trying
to
like.
A
That
already
exist,
because
I
think
that's
what
we
would
like
to
be
able
to
express-
and
I
think
that
would
handle
both
the
safety
net-
that
we
want,
which
is
stuff,
doesn't
just
change,
because
somebody
made
a
new
key
without
like
explicitly
saying,
I
want
to
use
the
key
or
a
new
version
of
a
particular
key,
but
at
the
same
time
you
can
express
your
intent
in
that
system.
Somehow.
C
C
C
E
A
D
D
So
similarly,
here
you
can
say
use
for
right
and
then
the
kms
plugins
would
need
to
query
the
version
that
is
using
this
particular
tag,
so
they
have
to
list
all
the
versions
and
then
filter
on
the
ones
that
has
this
tag
and
then
just
use
the
one
that
matches
the
tag,
but
there
is
no
native
way
to
do
it
like
this
is
just
with
all
the
decorators
that's
available.
We
can
do
it,
but
yeah.
There
is
no
way
to
pin
the
particular
version
as
the
latest
for
now.
A
You
would
be
sort
of
semi
abusing
the
tag
api
to
do
this,
but
I
think
it's
sort
of
fine,
because
the
idea
would
be
is
that
you're
you're
setting
up
a
contract,
an
api
contract
between
the
kms
plugin
implementation
and
how
you
configure
things
in
key
vault
in
this
case
as
a
key
role
right,
and
I
think
that
would
be
very
valuable
because
it
lets
you
do
what
the
orchestration
that
you
want
right.
You
can
very
specifically
say.
A
I
know
this
is
the
version
being
used
because
it's
literally
written
as
a
version
being
used
right
now,
because
it's
got
the
tag
and
if
there's
more
than
one
with
the
tag
you
can
be
like
you
know,
I
I
don't
know
what
the
definition
of
the
kms
plugin
would
be.
It
probably
would
start
airing
saying
or
it
might
just
use
the
last
one
it
used
or
whatever
I
don't
know
what
state
it
would
go
into.
A
C
A
A
C
E
A
I
do
think
this
falls
into
the
config
of
the
plug-in,
and
I
think
it's
okay,
if
you're,
if
the
remote
cams
influences
how
you
configure
the
kms
plugin
in
some
way.
Right
like,
I
think,
that's
okay,
because
if
you
try
to
normalize
the
configuration
of
all
of
the
kms
plug-in,
you
get
the
like
the
least
common
denominator
of
all
remote
implementations.
A
C
A
E
A
A
You
know
named
key
encryption
key,
but
it
was
using
an
older
revision.
So
I
need
to
ask
to
decrypt
this
this
blob
that
I
don't
understand
right
now,
using
that
particular
revision
right,
that's
kind
of
what
I
mean
is
like
there
could
be
value
in
having
this
extra
metadata,
because
it's
basically
a
way
for
the
kms
plug-in
to
remember
these
types
of
states
that
is
specific
to
how
they
provide
you
value.
Right
like
I,
I
I
would
expect
the
azure
key
vault
implementation
to
leverage
keyword,
specific
features
to
provide
a
good
experience.
A
And,
and
if
your
provider,
for
example,
can't
do
like
this
nice
rotation
because
it
doesn't
have
like
a
tagging
concept
or
something
and
fine,
you
just
have
to
pin
a
version
and
that's
all
you
ever
get,
and
it
probably
never
has
to
well.
You
might
still
want
to
put
stuff
in
metadata
to
make
it
clear
what
it
did,
but.
D
Yeah,
I
mean
it'll
be
great
if
they
can
just
configure
it
outside
and
don't
have
to
restart
all
the
components
in
the
cluster.
Like
one
thing,
one
other
thing
that
we
had
talked
about
was
maybe
just
push
all
of
this
into
the
kms
plugin.
So
today
we
do
configure
the
kms
plugin
and
pin
it
with
a
particular
version
right.
But
what
if
the
kms
plugin
implementation
can
handle
multiple
versions.
So
when
it's
configured,
basically,
you
can
say,
write
is
version
b1
and
then
for
read.
D
Maybe
v2
v3
v4,
so
it
can
basically
handle
these
things
internally.
So,
rather
than
relying
on
encryption
config
order,
when
the
api
server
says
hey
encrypt
this,
it
knows
it's
configured
with
this
particular
version
for
encryption,
so
it
always
uses
that,
but
for
decrypt
it
can
basically
go
through
the
list
with
which
it's
configured.
D
So
in
terms
of
rotation,
all
we
would
have
to
do
is
restart
the
kms
plugin,
which
is
still
if
it
doesn't
come
up.
We
break
the
api
server,
but
at
least
we
don't
have
to
update
the
encryption
config.
We
don't
have
to
restart
cube
api
server.
So
it's
only
a
single
component
restart.
Instead
of
all
these
multiple
different
components-
and
maybe
we
also
don't
have
to
restart
kms
plugin
like
this-
would
still
be
kms
plugin
implementation,
but
if
it's
watching
on
like
a
config
map
or
something
it
can
dynamically
pick
up
these
configurations.
D
A
Yeah,
so
certainly
a
kms
plugin
could
say
you
know
I'm
going
to
create
this
socket
at
this
end
point-
and
I
take
this
file
as
my
config
and
it
itself
could
keep
reloading
its
own
config
on
this.
So
now
you
don't
have
to
restart
it
at
all.
You
just
have
to
change
that
one
file
so
that
that
gets
you
closer,
which
is
basically
you
know,
that's
the
only
thing
you
need
to
change
and
the
I
I
think
the
main
thing.
That's
still
there
is,
I
mean
yeah.
A
D
C
C
B
A
See
you
next
week.
I
still
need
to
investigate.
Basically,
I
think
the
biggest
unknown
for
us
is:
could
we
could
we
make
it
at
least
somewhat
observable
the
current
state
of
all
of
this
from,
I
guess
the
kubernetes
api?
So
I
still
need
to
sort
of
check
what
this
all
means.
I
have
some
like
unfinished
ideas
in
my
head
about
how
we
could
make
the
kms
plug-in,
maybe
like
optionally,
serve
as
an
aggregated
api
server
so
like
it.
A
Could
it
could
if
it
wanted
to
serve
rest
apis
through
the
kubernetes
api,
and
it
would
be
optional,
like
you,
wouldn't
have
to
wire
these
up.
If
you
didn't
want
them
and
then
maybe
that
helps
it
like,
basically,
you
could
ask
the
kms
plugin.
Please
tell
me
what
the
state
is
using
your
fancy
api.
That
literally
exists
from
you.
I
don't
know
if
that's
a
good
idea
or
if
it
even
makes
sense,
but
that
was
sort
of
like
done
thought
so
far.
A
I
don't
know
like
yeah,
I
haven't
thought
through
it
yet,
like
you
know
it
could
be,
it
could
be
as
simple
as
like
hey
if
I
was
to
do
a
write
right
now.
What
key
would
you
end
up
using
like
that?
Would
you
know
that
would
at
least
tell
you?
Okay,
though,
you've
observed
some
some
particular
state
so
far
yeah.
It's
it's
still
unclear
to
me.
If
that
actually
works,
because
you
have
you
know
multiple
instances
of
this
process
running
so
like.
Does
it
make
sense
or
do
you
do?
A
I
haven't
figured
out
exactly
where
this
would
be
expressed,
because
this
is
sort
of
like
just
an
artifact
of
stores.
Right
like
you,
you
can't
ask
today
hey
this
object
in
ncd.
Is
it
stored
as
json
yaml,
or
you
can't
ask
that
right
right
and
it's
like
we're
saying,
but
I
really
want
to
ask
that
more
specifically,
I
want
to
ask
like
some
subset
of
that
question
and
I
think
okay,
let's
see
what
we
can
do.