From 4bd3790be8bca93f4e60f68371ec5508267b980f Mon Sep 17 00:00:00 2001 From: Luciano CALAMIA Date: Mon, 12 May 2025 10:35:48 +0200 Subject: [PATCH 1/6] docs(km): add docs on cryptographic details --- .../cryptographic-details-key-manager.mdx | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 pages/key-manager/reference-content/cryptographic-details-key-manager.mdx diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx new file mode 100644 index 0000000000..10e91ca528 --- /dev/null +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -0,0 +1,66 @@ +--- +meta: + title: Cryptographic details of Scaleway Key Manager + description: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations +content: + h1: Cryptographic details of Scaleway Key Manager + paragraph: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations +tags: key-manager security +dates: + validation: 2025-04-30 + posted: 2025-04-30 +--- + +## Cryptographic primitives + +### Random number generation + +#### Generating KEKs + +Scaleway Key Manager uses a **Cryptographically Secure Pseudorandom Number Generator (CSPRNG)** +to generate both keying material for managed keys and cryptographic unique IVs. + +The CSPRNG relies on recent Linux provided ChaCha-based PRNG, which is seeded with high-entropy and unpredictable sources: + - Timing variations from hardware events + - True Random Number Generators (TRNGs), such as the `RDSEED`/`RDRAND` instructions on AMD64 family processors + + +Conforms to ANSSI-PA-079 R14. + + + +That section does not apply to key imported by users via the Bring Your Own Key (BYOK) mechanism. + + + +#### Customer-provided KEKs (BYOK) + +Scaleway's Key Manager supports Bring Your Own Key (BYOK), so customer can import their +own key material without relying on Scaleway to generate keys for them. In this case, +the user has the responsibility to provide a strong key material. + +The provided material is not used as is. It is derived using the **HKDF algorithm with SHA2-256** +as the hash algorithm, with secure random bytes injected as salt. + +### Symmetric encryption + +Scaleway Key Manager uses **AES-256-GCM** (AES with 256-bit key in Galois Counter Mode) with +authenticated associated data (AEAD) to encrypt and decrypt user-provided payload. + +To reduce the risk of key overuse, plaintext payloads cannot exceed 64 KiB. + +For each encryption operation, a 96-bit Initialization Vector (IV) +is generated using the CSPRNG described in the previous section. + + +Conforms to ANSSI-PA-079 R1, R4, R12. + + + +The Key Manager uses AES-256-GCM algorithm internally, but this does not constrain users to the same algorithm for their DEKs. +We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms. +Scaleway provides a Tink integrations for Go and Python, which is the preferred integration method. + - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) + - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) + + From 61eb5f7211916da99fb47ebe6384daf81b786e2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 12 May 2025 14:45:05 +0200 Subject: [PATCH 2/6] docs(review): review neda --- .../cryptographic-details-key-manager.mdx | 58 +++++++++---------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 10e91ca528..2ce1dc32e4 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -1,66 +1,62 @@ --- meta: title: Cryptographic details of Scaleway Key Manager - description: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations + description: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations. content: h1: Cryptographic details of Scaleway Key Manager - paragraph: This document details the cryptographic mechanisms of Scaleway Key Manager with adherence to ANSSI-PA-079 recommendations + paragraph: This page describes the cryptographic mechanisms used by Scaleway Key Manager, in accordance with ANSSI-PA-079 recommendations. tags: key-manager security +categories: + - identity-and-access-management dates: - validation: 2025-04-30 - posted: 2025-04-30 + validation: 2025-05-12 + posted: 2025-05-12 --- ## Cryptographic primitives ### Random number generation -#### Generating KEKs +#### Key encryption key (KEK) generation -Scaleway Key Manager uses a **Cryptographically Secure Pseudorandom Number Generator (CSPRNG)** -to generate both keying material for managed keys and cryptographic unique IVs. +Scaleway Key Manager uses a **C**ryptographically **S**ecure **P**seudorandom **N**umber **G**enerator (CSPRNG) to generate both keying material for managed keys and cryptographically unique initialization vectors (IVs). -The CSPRNG relies on recent Linux provided ChaCha-based PRNG, which is seeded with high-entropy and unpredictable sources: - - Timing variations from hardware events - - True Random Number Generators (TRNGs), such as the `RDSEED`/`RDRAND` instructions on AMD64 family processors +This CSPRNG is based on the ChaCha-based pseudorandom number generator provided by modern Linux kernels. It is seeded with high-entropy, unpredictable sources, such as: + +- Timing variations from hardware events +- True Random Number Generators (TRNGs), including the `RDSEED` and `RDRAND` instructions available on AMD64 processors -Conforms to ANSSI-PA-079 R14. + Complies with ANSSI-PA-079 Recommendation R14. - -That section does not apply to key imported by users via the Bring Your Own Key (BYOK) mechanism. + + The information in the section above does not apply to keys imported via the Bring Your Own Key (BYOK) mechanism. #### Customer-provided KEKs (BYOK) -Scaleway's Key Manager supports Bring Your Own Key (BYOK), so customer can import their -own key material without relying on Scaleway to generate keys for them. In this case, -the user has the responsibility to provide a strong key material. +Scaleway Key Manager supports Bring Your Own Key (BYOK), allowing customers to import their own key material. In this model, Scaleway does not generate keys on behalf of the customer. Instead, the responsibility for generating strong key material lies with the user. -The provided material is not used as is. It is derived using the **HKDF algorithm with SHA2-256** -as the hash algorithm, with secure random bytes injected as salt. +Imported key material is is not used directly, but processed using the **HKDF algorithm with SHA-256** as the hash function, incorporating secure random bytes as salt. ### Symmetric encryption -Scaleway Key Manager uses **AES-256-GCM** (AES with 256-bit key in Galois Counter Mode) with -authenticated associated data (AEAD) to encrypt and decrypt user-provided payload. - -To reduce the risk of key overuse, plaintext payloads cannot exceed 64 KiB. +Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Counter Mode) with authenticated associated data (AEAD) for encrypting and decrypting user payloads. -For each encryption operation, a 96-bit Initialization Vector (IV) -is generated using the CSPRNG described in the previous section. +To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above. -Conforms to ANSSI-PA-079 R1, R4, R12. + Complies with ANSSI-PA-079 Recommendations R1, R4, and R12. - -The Key Manager uses AES-256-GCM algorithm internally, but this does not constrain users to the same algorithm for their DEKs. -We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms. -Scaleway provides a Tink integrations for Go and Python, which is the preferred integration method. - - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) - - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) + + While Key Manager internally uses AES-256-GCM, this does not restrict users to the same algorithm for their data encryption keys (DEKs). + We recommend using cryptographic libraries like Tink, which handle DEK management with robust and reviewed algorithms. + Scaleway provides Tink integrations for Go and Python, which is the preferred integration method. + + - [Tink Python integration](https://github.com/scaleway/tink-py-scwkms) + - [Ting Go integration](https://github.com/scaleway/tink-go-scwkms) From c8fa3594df0a3d2dba2421cbafa8dc700b7311a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 12 May 2025 15:24:22 +0200 Subject: [PATCH 3/6] Update cryptographic-details-key-manager.mdx --- .../cryptographic-details-key-manager.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 2ce1dc32e4..1a2a53ea0d 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -13,7 +13,9 @@ dates: posted: 2025-05-12 --- -## Cryptographic primitives +## Cryptographic primitives in Scaleway Key Manager + +This page provides information on the core cryptographic mechanisms used by Key Manager. It explains how cryptographic keys are generated, managed, and used to encrypt data. Key Manager uses cryptographic mechanisms in compliance with cryptographic guidelines issued by [France's national cybersecurity agency](https://cyber.gouv.fr/) in the ANSSI-PA-079 recommendations. to ensure the confidentiality and integrity of customer data. ### Random number generation @@ -27,11 +29,11 @@ This CSPRNG is based on the ChaCha-based pseudorandom number generator provided - True Random Number Generators (TRNGs), including the `RDSEED` and `RDRAND` instructions available on AMD64 processors - Complies with ANSSI-PA-079 Recommendation R14. + The section above is in compliance with [ANSSI-PA-079 Recommendation R14](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf), which mandates the use of a cryptographically secure and appropriately seeded pseudorandom generator for key and IV material. - The information in the section above does not apply to keys imported via the Bring Your Own Key (BYOK) mechanism. + The information above applies only to keys generated by Key Manager. If you import a key using the Bring Your Own Key (BYOK) mechanism, these safeguards are not applied to your key material. @@ -39,7 +41,7 @@ This CSPRNG is based on the ChaCha-based pseudorandom number generator provided Scaleway Key Manager supports Bring Your Own Key (BYOK), allowing customers to import their own key material. In this model, Scaleway does not generate keys on behalf of the customer. Instead, the responsibility for generating strong key material lies with the user. -Imported key material is is not used directly, but processed using the **HKDF algorithm with SHA-256** as the hash function, incorporating secure random bytes as salt. +To protect against direct reuse, imported key material is not used directly. Instead, it is processed using the HKDF algorithm (HMAC-based Key Derivation Function) with SHA-256 as the hash algorithm, incorporating secure random bytes added as a salt value. ### Symmetric encryption @@ -48,7 +50,7 @@ Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Coun To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above. - Complies with ANSSI-PA-079 Recommendations R1, R4, and R12. + The section above is in compliance with [ANSSI-PA-079 Recommendations R1, R4, and R12] regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), and payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details. From 20d2522122855972313d3d0a4862f75d3b6f96b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 12 May 2025 15:24:49 +0200 Subject: [PATCH 4/6] Update pages/key-manager/reference-content/cryptographic-details-key-manager.mdx --- .../reference-content/cryptographic-details-key-manager.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 1a2a53ea0d..647ee75bd2 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -50,7 +50,7 @@ Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Coun To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above. - The section above is in compliance with [ANSSI-PA-079 Recommendations R1, R4, and R12] regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), and payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details. + The section above is in compliance with ANSSI-PA-079 Recommendations R1, R4, and R12 regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), and payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details. From f570f9a7a3ad259c827b0911bfb06d3dda5df35a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 12 May 2025 16:01:24 +0200 Subject: [PATCH 5/6] Update pages/key-manager/reference-content/cryptographic-details-key-manager.mdx --- .../reference-content/cryptographic-details-key-manager.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 647ee75bd2..4b11f0f9cf 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -15,7 +15,7 @@ dates: ## Cryptographic primitives in Scaleway Key Manager -This page provides information on the core cryptographic mechanisms used by Key Manager. It explains how cryptographic keys are generated, managed, and used to encrypt data. Key Manager uses cryptographic mechanisms in compliance with cryptographic guidelines issued by [France's national cybersecurity agency](https://cyber.gouv.fr/) in the ANSSI-PA-079 recommendations. to ensure the confidentiality and integrity of customer data. +This page provides information on the core cryptographic mechanisms used by Key Manager. It explains how cryptographic keys are generated, managed, and used to encrypt data. Key Manager uses these mechanisms in compliance with the cryptographic guidelines issued by [France's national cybersecurity agency](https://cyber.gouv.fr/), as outlined in the ANSSI-PA-079 recommendations, to ensure the confidentiality and integrity of customer data. ### Random number generation From 673bde5d888c87545e7da6948c4b782ac880589f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Tue, 13 May 2025 11:17:37 +0200 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> --- .../reference-content/cryptographic-details-key-manager.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx index 4b11f0f9cf..a463656107 100644 --- a/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx +++ b/pages/key-manager/reference-content/cryptographic-details-key-manager.mdx @@ -47,10 +47,10 @@ To protect against direct reuse, imported key material is not used directly. Ins Scaleway Key Manager uses **AES-256-GCM** (AES with a 256-bit key in Galois/Counter Mode) with authenticated associated data (AEAD) for encrypting and decrypting user payloads. -To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. a unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above. +To reduce the risk of key overuse, plaintext payloads are limited to a maximum size of 64 KiB. A unique 96-bit initialization vector (IV) is generated using the CSPRNG described in the section above. - The section above is in compliance with ANSSI-PA-079 Recommendations R1, R4, and R12 regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), and payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details. + The section above is in compliance with ANSSI-PA-079 Recommendations R1, R4, and R12 regarding the choice of secure, authenticated symmetric encryption (R1), key and IV uniqueness (R4), payload size limitations and proper use of AEAD modes (R12). Refer to the ANSSI-PA-079 recommendations [documentation](https://cyber.gouv.fr/sites/default/files/2021/03/anssi-guide-selection_crypto-1.0.pdf) for more details.