Re: [PR] Feature: Key Management Service (KMS) [cloudstack]

via GitHub Thu, 02 Apr 2026 00:48:48 -0700


sureshanaparti commented on code in PR #12711:
URL: https://github.com/apache/cloudstack/pull/12711#discussion_r3026468437



##########
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql:
##########
@@ -114,3 +114,168 @@ CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Resource 
Admin', 'deleteUserKey
 
 -- Add conserve mode for VPC offerings
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 
'tinyint(1) unsigned NULL DEFAULT 0 COMMENT ''True if the VPC offering is IP 
conserve mode enabled, allowing public IP services to be used across multiple 
VPC tiers'' ');
+
+-- KMS HSM Profiles (Generic table for PKCS#11, KMIP, etc.)
+-- Scoped to account (user-provided) or global/zone (admin-provided)
+CREATE TABLE IF NOT EXISTS `cloud`.`kms_hsm_profiles` (
+    `id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+    `uuid` VARCHAR(40) NOT NULL,
+    `name` VARCHAR(255) NOT NULL,
+    `protocol` VARCHAR(32) NOT NULL COMMENT 'PKCS11, KMIP, AWS_KMS, etc.',
+
+    -- Scoping
+    `account_id` BIGINT UNSIGNED COMMENT 'null = admin-provided (available to 
all accounts)',
+    `domain_id` BIGINT UNSIGNED COMMENT 'null = zone/global scope',
+    `zone_id` BIGINT UNSIGNED COMMENT 'null = global scope',
+
+    -- Metadata
+    `vendor_name` VARCHAR(64) COMMENT 'HSM vendor (Thales, AWS, SoftHSM, 
etc.)',
+    `enabled` BOOLEAN NOT NULL DEFAULT TRUE,
+    `system` BOOLEAN NOT NULL DEFAULT FALSE COMMENT 'System profile (globally 
available, root admin only)',
+    `created` DATETIME NOT NULL,
+    `removed` DATETIME,
+
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_uuid` (`uuid`),
+    UNIQUE KEY `uk_account_name` (`account_id`, `name`, `removed`),
+    INDEX `idx_protocol_enabled` (`protocol`, `enabled`, `removed`),
+    INDEX `idx_scoping` (`account_id`, `domain_id`, `zone_id`, `removed`),
+    CONSTRAINT `fk_kms_hsm_profiles__account_id` FOREIGN KEY (`account_id`) 
REFERENCES `account`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_hsm_profiles__domain_id` FOREIGN KEY (`domain_id`) 
REFERENCES `domain`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_hsm_profiles__zone_id` FOREIGN KEY (`zone_id`) 
REFERENCES `data_center`(`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='HSM profiles for KMS 
providers';
+
+-- KMS HSM Profile Details (Protocol-specific configuration)
+CREATE TABLE IF NOT EXISTS `cloud`.`kms_hsm_profile_details` (
+    `id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+    `profile_id` BIGINT UNSIGNED NOT NULL COMMENT 'HSM profile ID',
+    `name` VARCHAR(255) NOT NULL COMMENT 'Config key (e.g. library_path, 
endpoint, pin, cert_content)',
+    `value` TEXT NOT NULL COMMENT 'Config value (encrypted if sensitive)',
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_profile_name` (`profile_id`, `name`),
+    CONSTRAINT `fk_kms_hsm_profile_details__profile_id` FOREIGN KEY 
(`profile_id`) REFERENCES `kms_hsm_profiles`(`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='Details for HSM profiles 
(key-value configuration)';
+
+-- KMS Keys (Key Encryption Key Metadata)
+-- Account-scoped KEKs for envelope encryption
+CREATE TABLE IF NOT EXISTS `cloud`.`kms_keys` (
+    `id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT COMMENT 'Unique ID',
+    `uuid` VARCHAR(40) NOT NULL COMMENT 'UUID - user-facing identifier',
+    `name` VARCHAR(255) NOT NULL COMMENT 'User-friendly name',
+    `description` VARCHAR(1024) COMMENT 'User description',
+    `kek_label` VARCHAR(255) NOT NULL COMMENT 'Provider-specific KEK label/ID',
+    `purpose` VARCHAR(32) NOT NULL COMMENT 'Key purpose (VOLUME_ENCRYPTION, 
TLS_CERT)',
+    `account_id` BIGINT UNSIGNED NOT NULL COMMENT 'Owning account',
+    `domain_id` BIGINT UNSIGNED NOT NULL COMMENT 'Owning domain',
+    `zone_id` BIGINT UNSIGNED NOT NULL COMMENT 'Zone where key is valid',
+    `algorithm` VARCHAR(64) NOT NULL DEFAULT 'AES/GCM/NoPadding' COMMENT 
'Encryption algorithm',
+    `key_bits` INT NOT NULL DEFAULT 256 COMMENT 'Key size in bits',
+    `enabled` TINYINT(1) NOT NULL DEFAULT 1 COMMENT 'Whether the key is 
enabled for new cryptographic operations',
+    `hsm_profile_id` BIGINT UNSIGNED NOT NULL COMMENT 'Current HSM profile ID 
for this key',
+    `created` DATETIME NOT NULL COMMENT 'Creation timestamp',
+    `removed` DATETIME COMMENT 'Removal timestamp for soft delete',
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_uuid` (`uuid`),
+    INDEX `idx_account_purpose` (`account_id`, `purpose`, `enabled`),
+    INDEX `idx_domain_purpose` (`domain_id`, `purpose`, `enabled`),
+    INDEX `idx_zone_enabled` (`zone_id`, `enabled`),
+    CONSTRAINT `fk_kms_keys__account_id` FOREIGN KEY (`account_id`) REFERENCES 
`account`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_keys__domain_id` FOREIGN KEY (`domain_id`) REFERENCES 
`domain`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_keys__zone_id` FOREIGN KEY (`zone_id`) REFERENCES 
`data_center`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_keys__hsm_profile_id` FOREIGN KEY (`hsm_profile_id`) 
REFERENCES `kms_hsm_profiles`(`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='KMS Key (KEK) metadata - 
account-scoped keys for envelope encryption';
+
+-- KMS KEK Versions (multiple KEKs per KMS key for gradual rotation)
+-- Supports multiple KEK versions per logical KMS key during rotation
+CREATE TABLE IF NOT EXISTS `cloud`.`kms_kek_versions` (
+    `id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT COMMENT 'Unique ID',
+    `uuid` VARCHAR(40) NOT NULL COMMENT 'UUID',
+    `kms_key_id` BIGINT UNSIGNED NOT NULL COMMENT 'Reference to kms_keys 
table',
+    `version_number` INT NOT NULL COMMENT 'Version number (1, 2, 3, ...)',
+    `kek_label` VARCHAR(255) NOT NULL COMMENT 'Provider-specific KEK label/ID 
for this version',
+    `status` VARCHAR(32) NOT NULL DEFAULT 'Active' COMMENT 'Active, Previous, 
Archived',
+    `hsm_profile_id` BIGINT UNSIGNED COMMENT 'HSM profile where this KEK 
version is stored',
+    `created` DATETIME NOT NULL COMMENT 'Creation timestamp',
+    `removed` DATETIME COMMENT 'Removal timestamp for soft delete',
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_uuid` (`uuid`),
+    UNIQUE KEY `uk_kms_key_version` (`kms_key_id`, `version_number`, 
`removed`),
+    INDEX `idx_kms_key_status` (`kms_key_id`, `status`, `removed`),
+    INDEX `idx_kek_label` (`kek_label`),
+    CONSTRAINT `fk_kms_kek_versions__kms_key_id` FOREIGN KEY (`kms_key_id`) 
REFERENCES `kms_keys`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_kek_versions__hsm_profile_id` FOREIGN KEY 
(`hsm_profile_id`) REFERENCES `kms_hsm_profiles`(`id`)

Review Comment:
   ```suggestion
       CONSTRAINT `fk_kms_kek_versions__hsm_profile_id` FOREIGN KEY 
(`hsm_profile_id`) REFERENCES `kms_hsm_profiles`(`id`) ON DELETE CASCADE
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Feature: Key Management Service (KMS) [cloudstack]

Reply via email to