The TSM allows the use of an external encryption plugin. This allows customers to create their own layer of encryption if the default encryption needs to be enhanced.

The encryption is done before the TSM does it's encryption, so it is important that any created plugin handles the plaintext with care.

Getting Started

The interface that needs to be implemented and example implementations are located in the demo repository. The access to the demo repository is described here.

The interface is located in the header file:plugins/storage-encrypt-plugin/interface.h

The interface has two methods, one for encrypting data and one for decrypting it again. Note that decrypt must be the inverse operation of the encrypt call. Both methods have three parameters:

• input (plaintext for encrypt, encryption for decrypt) - this is the data being processed by the method.
• identifiers - these identifiers are fixed for each object, like the type of object being encrypted-decrypted and identifiers like key id. They can be used to derive keys, so different keys are used for each object.
• output (encryption for encrypt, decryption for decrypt) - the result of the processing the input.

Note that allocated data in the output will be freed once it has been transferred to the Golang data structures of the TSM.

Example Plugins

Currently there are a number of plugin examples in the TSM demo project, located in the plugins/storage-encrypt-plugin folder:

• noop-write: Shows how to handle the methods if nothing is done (no operation).
• rot13: Simplified example that shows memory management when encryption or decryption is done.
• pkcs11: Shows a simple wrapper of a PKCS #11 module. The example will handle rotation of keys by saving the label of the key on encryption.
• aws-kms: Shows how how to use the AWS KMS to perform encryptions.