有没有人尝试在 Heroku 上使用 AWS KMS?
一方面,Heroku 在 AWS 上运行,所以它应该可以工作。
另一方面,我没有看到任何在 Heroku 中使用它的参考资料。
我的主要目标是能够从硬件安全模块中获取加密密钥(而不是在我的代码中硬编码或将其放入环境变量中)。
问问题
789 次
1 回答
2
There is no reason why you should not be able to call a KMS endpoint from anywhere you have internet connectivity.
You still need to have an access key and secret access key for the AWS account you are using and that account needs to have permissions on KMS.
You will need to distribute the encrypted stuff and the aws keys to your Heroku instance. You can then decrypt and use KMS from there.
One thing that it worth mentioning: when using KMS you never see the actual key KMS uses. You can create the key, you can encrypt and decrypt, and/or you can have permissions on the specific API operations, but you cannot get the plaintext key.
What you normally do is some sort of envelope encryption in which you generate your own key and encrypt it via KMS and send the encrypted key and the encrypted data to the destination.
于 2015-06-11T06:00:34.090 回答