Home > OS >  How is decryption done in NGINX when SSL is offloaded to GCP Cloud KMS?
How is decryption done in NGINX when SSL is offloaded to GCP Cloud KMS?

Time:08-27

I'm investigating possibility to offload SSL to GCP Cloud KMS. If we look at a guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx we can see that asymmetric-signing key is created in KMS.

gcloud kms keys create nginx-key --keyring "KEYRING" --project "PROJECT" \
  --location "LOCATION" --purpose "asymmetric-signing" \
  --default-algorithm "ec-sign-p256-sha256" --protection-level "hsm"

Then this signing key is used in NGINX:

        ssl_certificate "/etc/ssl/nginx/ca.cert";
        ssl_certificate_key "engine:pkcs11:pkcs11:object=nginx-key";

The questing is how decryption is done in SSL flow if we use only signing key that can't do decryption?

Thanks!

CodePudding user response:

As can be seen ecliptic curve signing is used. So, there is no decryption of symmetric secret during SSL handshake because Diffie–Hellman key exchange schema is used.

CodePudding user response:

A ephermeral session key is established during the SSL handshake and that key is used for the encryption of messages between the client and server. The KMS key is used durting the handshake to prove (via signing) to the client that they are connected to the correct server.

Page link:https//www.codepudding.com/os/524744.html

Prev:Ingress nginx stripping grpc request metadata headers
Next:Flask Circular Error: Error while finding module specification for 'flask.__main__'
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding