keyring: support external KMS for key encryption key (KEK) (#23580)

In Nomad 1.4.0, we shipped support for encrypted Variables and signed Workload Identities, but the key material is protected only by a AEAD encrypting the KEK. Add support for Vault transit encryption and external KMS from major cloud providers. The servers call out to the external service to decrypt each key in the on-disk keystore. Ref: https://hashicorp.atlassian.net/browse/NET-10334 Fixes: https://github.com/hashicorp/nomad/issues/14852
2026-01-04 09:25:46 +03:00 · 2024-07-18 09:42:28 -04:00
parent de10efa3fa
commit c970d22164
19 changed files with 733 additions and 100 deletions
--- a/command/agent/testdata/basic.json
+++ b/command/agent/testdata/basic.json
@@ -204,6 +204,14 @@
      "Access-Control-Allow-Origin": "*"
    }
  ],
+  "keyring": {
+    "awskms": {
+      "active": true,
+      "region": "us-east-1",
+      "kms_key_id": "alias/kms-nomad-keyring"
+    },
+    "aead": {}
+  },
  "leave_on_interrupt": true,
  "leave_on_terminate": true,
  "log_file": "/var/log/nomad.log",