The management and storage of private keys is the responsibility of the
DeltaKeyStore provides the interface for a key-storage
FileSystemKeyStore is an implementation to store keys
in PEM formats on the file system.
Retrieval and usage of these keys is required in the following use cases:
- Request Signing - all endpoints requiring authentication will require the private signing key of the requesting identity as part of the CVT1 request signing process.
- Retrieving Secret Content - to retrieve secret content, a client will need access to the secret encryption key, which can only be decrypted with their private decryption key.
The Delta framework does not dictate or impose restrictions on how a client should manage and store private keys. It is therefore up to the implementation on whether to develop a custom solution or use pre-existing solutions, as long as the keys are accessible in the above use cases.
Loads a private encryption key instance for the given identity id.
Parameters: identity_id (str) – the identity id of the key owner Returns: the cryptographic private key object
Loads a private signing key instance for the given identity id.
Parameters: identity_id (str) – the identity id of the key owner Returns: the signing private key object
store_keys(identity_id, private_signing_key, private_encryption_key)¶
Stores the signing and encryption key pairs under a given identity id.
- identity_id (str) – the identity id of the key owner
- private_signing_key (
RSAPrivateKey) – the private signing key object
- private_encryption_key (
RSAPrivateKey) – the private cryptographic key object
File-System Key Store¶
Implementation of the
DeltaKeyStore abstract base class using the file
system. Private keys are saved in the file system as encrypted PEM formats
and are only decrypted in memory on read.
Constructs a new Filesystem-backed
DeltaKeyStorewith the given configuration.
- key_store_path (str) – the path to the private key store
- key_store_passphrase (str) – the passphrase to decrypt the keys