wwlian commented on issue #3805: [AIRFLOW-2062] Add per-connection KMS encryption. URL: https://github.com/apache/incubator-airflow/pull/3805#issuecomment-419570620 @bolkedebruin @gerardo @Fokko I understand the concerns that this change might be coupled too tightly to Google Cloud KMS. However, I want to second @jakahn's assurance that this design is agnostic to the key management service being used. The only opinionated design included here is that encryption will be performed using the envelope encryption pattern, which is a widely-recognized pattern by [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping), [Google Cloud KMS](https://cloud.google.com/kms/docs/envelope-encryption), and [Azure Key Vault](https://docs.microsoft.com/en-us/azure/storage/common/storage-client-side-encryption#encryption-and-decryption-via-the-envelope-technique). To add to what @jakahn said re: embedding kms_conn_id and kms_extras in the existing _extra column, doing so would create a chicken and egg problem, as their values are needed to decrypt the _extras column.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
