Skip to content

Add cached key encryptor/decryptor#157

Merged
giarc3 merged 20 commits intomainfrom
cached-key-ops
Mar 12, 2026
Merged

Add cached key encryptor/decryptor#157
giarc3 merged 20 commits intomainfrom
cached-key-ops

Conversation

@coltfred
Copy link
Member

@coltfred coltfred commented Jan 22, 2026
edited by giarc3
Loading

This is a strawman implementation of the idea of caching a DEK for reuse for a short period of time.

TODO:

  • Add the encryptor counterpart.
  • Decide if we should zero the DEK the caller sends in to the decryptor to ensure proper disposal
  • Add reporting of DEK usage on close

Note that you'll have to do a local mvn install to test the example, since it depends on the new un-released classes

@coltfred coltfred mentioned this pull request Jan 22, 2026
Open
giarc3
giarc3 reviewed Jan 22, 2026
View reviewed changes
@skeet70 skeet70 mentioned this pull request Mar 10, 2026
Open
coltfred
coltfred commented Mar 11, 2026
View reviewed changes
Copy link
Member Author

@coltfred coltfred left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple things I noticed.

I was thinking maybe we should add an example (with a readme explaining that using it during a db transaction for instance would mean no calls to the external service). Thoughts?

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/TenantSecurityClient.java Outdated
*/
public CompletableFuture<CachedDecryptor> createCachedDecryptor(String edek,
DocumentMetadata metadata) {
return newCachedKeyFromUnwrap(edek, metadata).thenApply(k -> k);
Copy link
Member Author

@coltfred coltfred Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should comment this so we understand why an identity map is needed.

src/test/java/com/ironcorelabs/tenantsecurity/kms/v1/CachedKeyOpsRoundTrip.java

// === EDEK mismatch ===

public void cachedDecryptorRejectsEdekMismatch() throws Exception {
Copy link
Member Author

@coltfred coltfred Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these tests can use a try resources for the client as well.

Copy link
Member

@giarc3 giarc3 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/CachedKeyLifecycle.java
*
* @return The total operation count
*/
int getOperationCount();
Copy link
Member Author

@coltfred coltfred Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this as having a ton of value. What do you see as the usecase for including it?

Copy link
Member

@giarc3 giarc3 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly for assertions in tests, but it doesn't seem bad in general

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/TenantSecurityClient.java Outdated
* @param operation Function that takes the CachedDecryptor and returns a CompletableFuture
* @return CompletableFuture resolving to the operation's result
*/
public <T> CompletableFuture<T> withCachedDecryptor(EncryptedDocument encryptedDocument,
Copy link
Member Author

@coltfred coltfred Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to figure out if this overload (and the sister ones below) are worth it. This api is getting fairly large.

What do you think?

giarc3
giarc3 approved these changes Mar 12, 2026
View reviewed changes
Copy link
Member

@giarc3 giarc3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Co-approving for myself and @coltfred as this PR was tag-teamed

@giarc3 giarc3 changed the title Initial add of cached key decryptor Ddd cached key encryptor/decryptor Mar 12, 2026
@giarc3 giarc3 changed the title Ddd cached key encryptor/decryptor Add cached key encryptor/decryptor Mar 12, 2026
@giarc3 giarc3 merged commit fed1c11 into main Mar 12, 2026
7 checks passed
@giarc3 giarc3 deleted the cached-key-ops branch March 12, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giarc3 giarc3 giarc3 approved these changes

Assignees

@coltfred coltfred

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coltfred @giarc3