Version 0.10.0

Added

• New /v1/key/encrypt server API (5de0d19)
• Code of Conduct (6f6ae7c)
• CodeQL static analysis

Fixed

• Custom Vault K/V and AppRole authentication engine paths can be specified (9a6264c)
• Certificate validation for TLS proxies enabled by default (d583669)

Version 0.9.0

Changed

• The CLI client expects the private key now as KES_CLIENT_KEY and the certificate as
  KES_CLIENT_CERT env. variable (c3a1a11)

Version 0.8.3

Changed

• The KES client (including the CLI) now retries when a request fails due to an error that is considered temporary (75b5932)
• An identity in the yaml config can now be replaced by a env. variable. Therefore, an identity as to be a placeholder for an env. variable - e.g. ${MY_IDENTITY} (a7cc78e)

Version 0.8.2

Added

• Private key and certificate for root identity of play instance (c325864)

Changed

• Require HTTP/2 for all server APIs (6e7a319)

Version 0.8.1

Changed

• Removed the restriction of only supporting HTTP/2 (43d9d58)

Version 0.8.0

This release makes some major breaking changes affecting the server configuration and derived data encryption keys.

Changed

• The KES server supports only HTTP/2. Support for HTTP/1.1 and HTTP/1.0 has been removed. (b74bb38)
• The KES SDK stabilizes the API for creating a new client (326d8a4)
• The log configuration does not support log files anymore. Error and Audit logging can only be enabled or disabled (8f259c0)
• The Vault K/V prefix configuration field has been renamed from name to prefix (8f259c0)
• Some KES server CLI options have been renamed from --tls-key to --key, --tls-cert to --cert and --mtls-auth to --auth. (8f259c0)

Removed

• Support for toml configuration files. (8f259c0)
• Support for toml policy files (3cd0009)
• Direct support for encrypted secrets via an external KMS configuration (650af34)
• Support for the insecure AES key derivation based on RFC 8452 (650af34)

Version 0.7.2

Fixed

The kes binary built during a docker build now contains the correct release version info. (e6e9e9e)
The docker build process will first build the release command binary which then fetches the correct version
information from the $GOPROXY. This change only affects the build process and does not change any binary functionality.

Version 0.7.1

Added

• New release command under kes/cmd/release (08be13b). This command is just a build utility for building versioned releases in automated build systems - i.e. docker. However, this is just a build-related release that does not fix any issue nor does it change or add functionality.

Version 0.7.0

Added

• Support for encrypted secrets and AWS-KMS integration (817a824)
  Now, keys/secrets at the key store can be encrypted using an external KMS.
  Take a look the commit message of 817a824 for more details or checkout the
  documented configuration file templates.
• Support Vault as KMS for encrypted secrets (7cc2811)
• New server-API for error log tracing and client-side API for handling error log events (aa74912)

Changed

• The client-side audit log tracing API now exposes a typed stream and event API. (aa74912)
  This is a breaking change w.r.t. to the SDK API.
• The CLI command audit got replaced by log (2d5549d)
  This is a breaking change w.r.t. the CLI

Version 0.6.1

Fixed

• Usage of a broken PRF for deriving keys to encrypt generated data encryption keys in case of AES-GCM
  This fixes a potential security issue. See: 3300fb6
  From now (v0.6.1) on the KES server uses HMAC-SHA-256 has KDF which has been proven to be a PRF
  under the assumption that SHA-256 is a collision-resistant hash function.

  ---

  Before, the KES server used a key derivation function (KDF) based on RFC 8452. More precisely, the KDF described in RFC 8452 has been slightly tweaked to use 128 bit nonce / IV values instead of 96 bit values. During an internal analysis we detected that this tweaked KDF version is not a pseudo-random function PRF. This violates the assumptions of the cryptographic key derivation model KES is relying on.
  However, we are not aware of any attack vector that an adversary could use to exploit this issue within the KES
  server threat model.