KMS integration #

KMS plays an important role for providing cryptographic keys security. Currently, Acra uses KMS to load Acra Master Key used for intermediate keys encrypting / decrypting. Since safety of Acra’s cryptographic keys directly depends on safety of Acra Master Key, Acra has strong requirements to KMSs and their security guarantees.

Refer to Acra in depth / Key storage and KMS to learn more about general key storage requirements.

Refer to Security controls / Key management to learn how to generate Acra Master Key.

Loading Acra Master Key #

On startup every Acra service or tool that needs access to intermediate keys should load Acra Master Key.

They load and store it in a memory and use it to decrypt intermediate key every time. After finishing operations with intermediate keys, a service forgets and erases them from memory to leave them in unprotected form as less as possible.

Only Acra Master Key loaded securely gives Acra access to intermediate keys and sensitive data protected with these keys.

The load could happen:

• directly via environment variable (refer to Security Controls / Key management);

• directly from KMS (AcraServer/AcraTranslator support KMS integration directly to read Acra Master Key, see below);

• from KMS via environment variable (read keys from KMS using curl or your preferred deployment tool, put it to the environment variable, startup Acra service from env variable).

Supported KMSs #

Hashicorp Vault #

Hashicorp Vault is popular, widely used service for secure storing sensitive data, especially secrets. Acra uses Hashicorp Vault as storage for master key used to encrypt/decrypt all private keys.

Hashicorp Vault supports a lot of storage backends, that guarantee high availability, scalability, authenticated and secure transport communication. That is why Acra supports it out of the box.

The following Acra services and tools can load Acra Master Key from this KMS.

• acra-server,
• acra-translator,
• acra-keymaker,
• acra-rotate,
• acra-addzone (deprecated since 0.94.0, will be removed in 0.95.0),
• acra-backup (deprecated since 0.96.0, will be removed in 0.97.0),
• acra-log-verifier,
• acra-poisonrecordmaker,
• acra-rollback.

You can find out how to configure access to KMS on HashiCorp Vault section on the distinct documentation page of these services.

AWS KMS #

AWS KMS is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. Acra use AWS KMS manged keys to decrypt Acra Master Key.

AWS KMS is a popular solution for centralized key management, managing encryption for AWS services, and data encryption in the client application. That is why Acra is trying to provide the closest possible integration with it.

The following Acra services and tools can load Acra Master Key from this KMS.

• acra-server,
• acra-translator,
• acra-keymaker,
• acra-rotate,
• acra-addzone (deprecated since 0.94.0, will be removed in 0.95.0),
• acra-backup (deprecated since 0.96.0, will be removed in 0.97.0),
• acra-log-verifier,
• acra-poisonrecordmaker,
• acra-rollback.

You can find out how to configure access to KMS on KMS section on the distinct documentation page of these services.

GCP KMS #

Support of GCP KMS is available only in Acra Enterprise Edition

Keywhiz #

Support of Keywhiz is available only in Acra Enterprise Edition

Note that Acra Enterprise Edition provides better KMSs integration and more ways to load Acra Master Key.