Skip to content

coordinator: seal with 32 byte key#850

Merged
daniel-weisse merged 4 commits intomasterfrom
dw/seal-256
Sep 26, 2025
Merged

coordinator: seal with 32 byte key#850
daniel-weisse merged 4 commits intomasterfrom
dw/seal-256

Conversation

@daniel-weisse
Copy link
Copy Markdown
Member

@daniel-weisse daniel-weisse commented Sep 18, 2025

Proposed changes

  • Seal encryption key using SealWithProductKey256
    • Unsealing happens using Unseal256 or Unseal if unsealing with the 32 byte key fails as a fallback
  • Seal data using a 32 byte key
    • A 32 byte sealing key is only generated for new MarbleRun deployments. Deployments upgrading from a previous MarbleRun version will continue using a 16 byte key for data sealing

Additional info

  • AB#6112

@daniel-weisse daniel-weisse added the changelog This PR should be part of the changelog, but isn't a feature, bug-fix, or breaking-change label Sep 18, 2025
@netlify
Copy link
Copy Markdown

netlify bot commented Sep 18, 2025
edited
Loading

Deploy Preview for marblerun-docs ready!

Name Link
🔨 Latest commit eca6c59
🔍 Latest deploy log https://app.netlify.com/projects/marblerun-docs/deploys/68d6a13bd66e5c00087ab173
😎 Deploy Preview https://deploy-preview-850--marblerun-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@daniel-weisse daniel-weisse force-pushed the dw/seal-256 branch 2 times, most recently from d696433 to 3fa65f1 Compare September 22, 2025 07:21
thomasten
thomasten requested changes Sep 24, 2025
View reviewed changes
@daniel-weisse
coordinator: seal with 32 byte key
288e644 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
util: fix linting
4114a05 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
cli: dont try to decrypt 32 byte keys
a5d7375 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse
docs: mention 32 byte DEK and AES256 sealing
eca6c59 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
@daniel-weisse daniel-weisse merged commit 95013f6 into master Sep 26, 2025
12 checks passed
@daniel-weisse daniel-weisse deleted the dw/seal-256 branch September 26, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasten thomasten thomasten approved these changes

Assignees

No one assigned

Labels

changelog This PR should be part of the changelog, but isn't a feature, bug-fix, or breaking-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daniel-weisse @thomasten