g2p_encryption_keymanager Module#

Warning

Work in Progress: This document is actively being developed and updated. Content may be incomplete or subject to change.

This module extends the functionality of the g2p_encryption module by providing integration with a Keymanager service for encryption and signing operations. This allows OpenSPP to leverage external key management systems for enhanced security and compliance.

Purpose#

The primary purpose of this module is to:

  • Delegate encryption and signing operations to an external Keymanager service: This offloads the burden of key management from the OpenSPP application to a dedicated, potentially more secure, external service.

  • Provide a configurable interface: System administrators can configure various parameters of the Keymanager integration, such as API endpoints, authentication credentials, and application-specific identifiers.

  • Seamlessly integrate with the existing encryption framework: The module extends the existing encryption provider mechanism in OpenSPP, allowing for easy switching between different encryption providers, including the Keymanager-based provider.

Functionality#

The g2p_encryption_keymanager module provides the following features:

  • Encryption and Decryption using Keymanager: The module allows OpenSPP to encrypt and decrypt data using encryption keys managed by the Keymanager service.

  • JWT Signing and Verification with Keymanager: The module enables OpenSPP to digitally sign and verify JSON Web Tokens (JWTs) using the Keymanager service, ensuring authenticity and integrity of sensitive data.

  • Keymanager Authentication and Authorization: The module implements secure communication with the Keymanager service using OAuth 2.0 client credentials grant type for authentication and authorization.

  • Configuration Options for Keymanager Integration: The module provides a user-friendly interface within the OpenSPP settings to configure various aspects of the Keymanager integration, including API endpoints, authentication credentials, and application-specific identifiers for encryption and signing.

Integration with Other Modules#

This module directly interacts with the g2p_encryption module:

  • It inherits and extends the g2p.encryption.provider model to include Keymanager-specific configuration fields and methods.

  • It provides a new "Keymanager" option for the encryption provider type.

  • It overrides the default encryption and signing methods to utilize the Keymanager API when selected.

Benefits of Using Keymanager Integration#

  • Enhanced Security: Key management is handled by a dedicated service, potentially with stronger security measures than what might be feasible within the OpenSPP application itself.

  • Centralized Key Management: Provides a central location for managing encryption keys across different parts of the OpenSPP system or even across multiple applications.

  • Compliance and Auditing: Using a dedicated Keymanager service can simplify compliance with data security regulations and facilitate auditing of cryptographic operations.

  • Scalability and Performance: Offloading cryptographic operations to a dedicated service can potentially improve the performance and scalability of the OpenSPP application.