@bolkedebruin @gerardo @Fokko I understand the concerns that this change might be coupled too tightly to Google Cloud KMS. However, I want to second @jakahn's assurance that this design is agnostic to the key management service being used.
The only opinionated design included here is that encryption will be performed using the envelope encryption pattern, which is a widely-recognized pattern by [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping), [Google Cloud KMS](https://cloud.google.com/kms/docs/envelope-encryption), and [Azure Key Vault](https://docs.microsoft.com/en-us/azure/storage/common/storage-client-side-encryption#encryption-and-decryption-via-the-envelope-technique). To add to what @jakahn said re: embedding kms_conn_id and kms_extras in the existing _extra column, doing so would create a chicken and egg problem, as their values are needed to decrypt the _extras column. [ Full content available at: https://github.com/apache/incubator-airflow/pull/3805 ] This message was relayed via gitbox.apache.org for [email protected]
