refactor(crypto): move KMSService to domain and improve key security#83
Merged
refactor(crypto): move KMSService to domain and improve key security#83
Conversation
Relocate the KMSService interface to the domain layer and enhance security by ensuring sensitive key material is zeroed in memory after use. - Move `KMSService` interface from `internal/crypto/service` to `internal/crypto/domain` to align with Clean Architecture. - Implement proactive zeroing of plaintext key material in `KeyManagerService` and `MasterKeyChain` to minimize exposure of sensitive data in memory. - Wrap `DekUseCase.Rewrap` logic in a database transaction to ensure atomicity during batch DEK re-encryption. - Update DI container and CLI commands to reflect the package reorganization of `KMSService`. - Update `DekUseCase` unit tests to verify transaction management and mock expectations.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relocate the KMSService interface to the domain layer and enhance security by ensuring sensitive key material is zeroed in memory after use.
KMSServiceinterface frominternal/crypto/servicetointernal/crypto/domainto align with Clean Architecture.KeyManagerServiceandMasterKeyChainto minimize exposure of sensitive data in memory.DekUseCase.Rewraplogic in a database transaction to ensure atomicity during batch DEK re-encryption.KMSService.DekUseCaseunit tests to verify transaction management and mock expectations.