Boundary worker kms


I have two questions:

  1. Is it necessary to include the KMS stanza in the worker.hcl file for the production environment?
  2. Should we use different keys for multi-hop sessions between two different worker types, i.e. ingress and egress?

As far as I understand, the purpose of the KMS stanza server is to encrypt worker-auth-storage. However, the process of adopting a worker using the UI remains the same whether the KMS stanza is enabled or disabled. So, what exactly does the KMS stanza provide?

Hi aasim,

The KMS stanza is only needed for KMS worker authorization. Workers can be authorized using the controller-led or worker-led approach instead of KMS: Worker configuration | Boundary | HashiCorp Developer

It’s up to you to decide whether or not to use different keys for multi-hop sessions; this is optional. More details on this are in this section (see the paragraph about using the downstream-worker-auth kms purpose) : Worker configuration | Boundary | HashiCorp Developer

Hi @irena.rindos

I have read the mentioned documentation I was confused because there were two purposes mentioned for the KMS stanza

one as “worker-auth”
[Worker configuration | Boundary | HashiCorp Developer]

and other as “worker-auth-storage” mentioned here
[Configure workers | Boundary | HashiCorp Developer]

When using a controller or worker lead, using the KMS stanza we can encrypt authentication keys
[Data encryption | Boundary | HashiCorp Developer]

Hi aasim,

‘worker-auth-storage’ is used to encrypt the worker keys at rest (at the location that ‘auth_storage_path’ points to)

‘worker-auth’ is used for authenticating communication between the worker and controller.