Skip to content

Create 'mounted key' encryption.Key implementation

Created by: arussellsaw

The most general purpose encryption.Key we can make is one that mounts a key from the environment, and encrypts data locally, rather than using the APIs provided by GCloud, AWS, or Vault.

There are a few ways we could load the key:

  • Mounted file path: This is probably the most secure way, and is compatible with the way kubernetes provides managed secrets
  • Environment variable: This feels less secure, it trades off a little deployment security for convenience, some users might want this
  • Direct key in config: i don't think we should do this, as it'll be exposed in the admin UI