How is decryption done in NGINX when SSL is offloaded to GCP Cloud KMS?

SergeyMikitko
August 23, 2022
47 views
0 votes
2 Answers

I’m investigating possibility to offload SSL to GCP Cloud KMS.
If we look at a guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx we can see that asymmetric-signing key is created in KMS.

gcloud kms keys create nginx-key --keyring "KEYRING" --project "PROJECT" 
  --location "LOCATION" --purpose "asymmetric-signing" 
  --default-algorithm "ec-sign-p256-sha256" --protection-level "hsm"

Then this signing key is used in NGINX:

        ssl_certificate "/etc/ssl/nginx/ca.cert";
        ssl_certificate_key "engine:pkcs11:pkcs11:object=nginx-key";

The questing is how decryption is done in SSL flow if we use only signing key that can’t do decryption?

Thanks!

Answers

Chosen as BEST ANSWER
- SergeyMikitko
- August 23, 2022 at 4:01 pm
- 0 votes
0
As can be seen ecliptic curve signing is used. So, there is no decryption of symmetric secret during SSL handshake because Diffie–Hellman key exchange schema is used.

(Edit)

- MichaelMcIntosh
- August 23, 2022 at 1:59 pm
- 0 votes
0
A ephermeral session key is established during the SSL handshake and that key is used for the encryption of messages between the client and server. The KMS key is used durting the handshake to prove (via signing) to the client that they are connected to the correct server.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.