feat(secret-sharing): server-side encryption #2482
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description 📣
This PR moves the secret sharing encryption logic to the server-side, where we'll now handle encryption/decryption with our KMS. This results in a greatly reduced URL length, as the key is no longer necessary. I opted to keep a shortened version of the hashed hex as a part of the URL. We're keeping the first 13 characters as a part of the secret sharing URL to increase entropy. This PR imposes a 50% decrease in the secret sharing URL length.
Previously created secrets remain backwards compatible with this change. Meaning, if you created secrets before this new change, they will remain working.
Examples:
Old secret sharing URL
http://localhost:8080/shared/secret/aea90f5e-439a-48d6-938b-a666ade4f796?key=e79d58893e44e656b56833bacc61e2e2c104d044c95870e07f7d59ffd8c8e163-9d4fc46ff176326c142176eafb04b1b2
New secret sharing URL
http://localhost:8080/shared/secret/649a6964-f973-43f2-a24b-4082c3f92703-6b86b273ff34f
Type ✨