Key Store¶
The management and storage of private keys is the responsibility of the
client. The DeltaKeyStore
provides the interface for a key-storage
implementation. The FileSystemKeyStore
is an implementation to store keys
in PEM formats on the file system.
Retrieval and usage of these keys is required in the following use cases:
- Request Signing - all endpoints requiring authentication will require the private signing key of the requesting identity as part of the CVT1 request signing process.
- Retrieving Secret Content - to retrieve secret content, a client will need access to the secret encryption key, which can only be decrypted with their private decryption key.
The Delta framework does not dictate or impose restrictions on how a client should manage and store private keys. It is therefore up to the implementation on whether to develop a custom solution or use pre-existing solutions, as long as the keys are accessible in the above use cases.
-
class
covata.delta.keystore.
DeltaKeyStore
[source]¶ -
get_private_encryption_key
(identity_id)[source]¶ Loads a private encryption key instance for the given identity id.
Parameters: identity_id (str) – the identity id of the key owner Returns: the cryptographic private key object
-
get_private_signing_key
(identity_id)[source]¶ Loads a private signing key instance for the given identity id.
Parameters: identity_id (str) – the identity id of the key owner Returns: the signing private key object
-
store_keys
(identity_id, private_signing_key, private_encryption_key)[source]¶ Stores the signing and encryption key pairs under a given identity id.
Parameters: - identity_id (str) – the identity id of the key owner
- private_signing_key (
RSAPrivateKey
) – the private signing key object - private_encryption_key (
RSAPrivateKey
) – the private cryptographic key object
-
File-System Key Store¶
Implementation of the DeltaKeyStore
abstract base class using the file
system. Private keys are saved in the file system as encrypted PEM formats
and are only decrypted in memory on read.
-
class
covata.delta.keystore.
FileSystemKeyStore
(key_store_path, key_store_passphrase)[source]¶ Bases:
covata.delta.keystore.DeltaKeyStore
Constructs a new Filesystem-backed
DeltaKeyStore
with the given configuration.Parameters: - key_store_path (str) – the path to the private key store
- key_store_passphrase (str) – the passphrase to decrypt the keys