Key Manager
Last updated
Last updated
Copyright © OpenG2P. This work is licensed under Creative Common Attribution (CC-BY-4.0) International license unless otherwise noted.
OpenG2P recognizes the critical importance of securing sensitive databases, including registrant data and voucher generation. The inclusion of a dedicated Key Manager ensures the protection of private and public keys, enhancing overall system security.
The Key Manager in OpenG2P serves as a centralized entity responsible for the secure storage, generation, and distribution of cryptographic keys. Its primary functions include:
Safeguarding databases containing registrant data and voucher generation records.
Protecting against unauthorized access and ensuring data confidentiality.
Storing and managing private keys used for encryption and digital signatures.
Distributing public keys for secure communication and verification.
Utilize the Key Manager to generate strong cryptographic keys.
Safely store keys, potentially leveraging Hardware Security Modules (HSMs) for added protection.
Employ keys from the Key Manager to encrypt sensitive data in databases.
Ensure that only authorized entities with the appropriate keys can access and decrypt the data.
Implement secure voucher generation processes using keys managed by the Key Manager.
Protect against fraudulent activities by securing voucher generation operations.
Manage private keys securely to prevent unauthorized access.
Distribute public keys for use in secure communication channels within the OpenG2P ecosystem.
Regularly rotate cryptographic keys to mitigate the risk of compromise.
Ensure a seamless transition during key rotation to avoid disruptions.
Consider integrating with Hardware Security Modules for enhanced physical and logical key protection.
The integration process involves making calls to the KeyManager service deployed in the Kubernetes cluster of OpenG2P. Keycloak provides an access token, which is used as a header for each API request. The primary functionalities are encapsulated within the g2p_encryption
module.
Keycloak access token:
Obtained from keycloak authentication.
Serves as an authorization header for API requests
KeyManager service:
Deployed in the kubernetes cluster of openG2P.
Exposes various API endpoints for cryptographic operations.
g2p_encryption module:
Central module handling cryptographic functionalities.
Initiates API calls to the KeyManager service.Process Steps:
Obtain keycloak access token:
Authentication with keycloak to acquire an access token.
Initialize g2p_encryption module:
Set up an instance of the g2p_encryption
module within the openG2P environment.
API requests to KeyManager:
Utilize the access token as a header for API requests.
Make calls to various KeyManager API endpoints for cryptographic operations.
KeyManager api endpoints:
The KeyManager service, deployed in the kubernetes cluster, exposes endpoints for tasks like JWT signing and certificate retrieval.
Integration with odoo:
The g2p_encryption
module acts as a bridge between KeyManager and odoo.
Provides an interface for odoo to perform secure operations using the services offered by KeyManager.
Centralized cryptographic operations:
All cryptographic operations are centralized within the g2p_encryption
module, promoting modular and maintainable code.
Secure communication:
Utilizing keycloak access tokens ensures secure communication between openG2P and KeyManager.
Scalability:
Kubernetes deployment facilitates scalability and efficient management of the KeyManager service.
The system employs a key manager to handle the encryption of registry data. All registry information is stored in an encrypted form, represented as a string. To access the original data, admin must utilize the "decrypt fields" option available in the settings. The key manager is responsible for generating, storing, and managing the encryption keys required for securing and decrypting the registry information. This approach enhances security by ensuring that sensitive data remains unreadable without the appropriate decryption process.
Error handling:
Implement robust error handling mechanisms to gracefully manage exceptions during API calls.
Logging and Monitoring:
Incorporate logging and monitoring features for tracking API requests and identifying potential issues.
Refer the following links for deeper understanding of the API's structure Kernel api's and Mosip api documentation
Integrating the Key Manager into OpenG2P provides a robust foundation for securing crucial databases and managing cryptographic keys. By following best practices and leveraging the capabilities of the Key Manager, OpenG2P ensures the confidentiality, integrity, and authenticity of sensitive information.