Version 0.8.0

This release makes some major breaking changes affecting the server configuration and derived data encryption keys.

Changed

• The KES server supports only HTTP/2. Support for HTTP/1.1 and HTTP/1.0 has been removed. (b74bb38)
• The KES SDK stabilizes the API for creating a new client (326d8a4)
• The log configuration does not support log files anymore. Error and Audit logging can only be enabled or disabled (8f259c0)
• The Vault K/V prefix configuration field has been renamed from name to prefix (8f259c0)
• Some KES server CLI options have been renamed from --tls-key to --key, --tls-cert to --cert and --mtls-auth to --auth. (8f259c0)

Removed

• Support for toml configuration files. (8f259c0)
• Support for toml policy files (3cd0009)
• Direct support for encrypted secrets via an external KMS configuration (650af34)
• Support for the insecure AES key derivation based on RFC 8452 (650af34)

Version 0.7.2

Fixed

The kes binary built during a docker build now contains the correct release version info. (e6e9e9e)
The docker build process will first build the release command binary which then fetches the correct version
information from the $GOPROXY. This change only affects the build process and does not change any binary functionality.

Version 0.7.1

Added

• New release command under kes/cmd/release (08be13b). This command is just a build utility for building versioned releases in automated build systems - i.e. docker. However, this is just a build-related release that does not fix any issue nor does it change or add functionality.

Version 0.7.0

Added

• Support for encrypted secrets and AWS-KMS integration (817a824)
  Now, keys/secrets at the key store can be encrypted using an external KMS.
  Take a look the commit message of 817a824 for more details or checkout the
  documented configuration file templates.
• Support Vault as KMS for encrypted secrets (7cc2811)
• New server-API for error log tracing and client-side API for handling error log events (aa74912)

Changed

• The client-side audit log tracing API now exposes a typed stream and event API. (aa74912)
  This is a breaking change w.r.t. to the SDK API.
• The CLI command audit got replaced by log (2d5549d)
  This is a breaking change w.r.t. the CLI

Version 0.6.1

Fixed

• Usage of a broken PRF for deriving keys to encrypt generated data encryption keys in case of AES-GCM
  This fixes a potential security issue. See: 3300fb6
  From now (v0.6.1) on the KES server uses HMAC-SHA-256 has KDF which has been proven to be a PRF
  under the assumption that SHA-256 is a collision-resistant hash function.

  ---

  Before, the KES server used a key derivation function (KDF) based on RFC 8452. More precisely, the KDF described in RFC 8452 has been slightly tweaked to use 128 bit nonce / IV values instead of 96 bit values. During an internal analysis we detected that this tweaked KDF version is not a pseudo-random function PRF. This violates the assumptions of the cryptographic key derivation model KES is relying on.
  However, we are not aware of any attack vector that an adversary could use to exploit this issue within the KES
  server threat model.

Version 0.6.0

Added

• New version API endpoint that returns the server version as json (22e34fd)
• Support for TLS proxies. Now a TLS proxy (e.g. nginx) can be put in-between the kes server and client.
  See #18 for more details. (7aa62ff)

Changed

• The server error API now returns error responses as json. This is a step to expose a complete json-API. (1055a66)
• The audit log trace output now shows truncated response time values - like 1.07s instead of 1.0743840s (462c981)

Fixed

• Calling ResponseWriter.WriteHeader twice in case when subscribing to the audit log via /v1/log/audit/trace API. (4b4a0b7)
• Usage of default HTTP client when requesting the server version (3b1cfb8)
• Ignore static AWS credentials and instead rely on the AWS SDK to fetch the credentials from env. variables or EC2 metadata. See: #26 (4c173a8)

Version 0.5.0

Added

• Audit event logging (731e607) and audit log tracing (ff44277).
  This includes a new server API: /v1/log/audit/trace and CLI command: kes audit trace
• A new server API for importing secret keys (9b2f0ad): /v1/key/import/<key-name>.
  This is related to a breaking change of the server API.
• Vault namespace support: d741969

Changed

• The server create-key API: /v1/key/create now does not accept a secret key from the client anymore.
  Now, the server always generates the key itself. Clients that want to import a secret key should use the
  /v1/key/import API. See: 9b2f0ad

Fixed

• Incorrect identity assignment bug (39c4d2c). Now, the server validates that an identity in the policy section of the config file is not the Unknown Identity

Version 0.4.0

adjust env. variables to reflect project name change

This commit changes the env. variable prefix
from `KEY_` to `KES_`.

Version 0.3.0

v0.3.0

rename `keys` to `kes`

Version 0.2.0

restrict identity assignment on a per-policy basis

This commit allows policies to restrict the assignment
of identities. Now, a policy can specify that you can
only assign identities to specific policies but not to
any policies.