Skip to content

Azure Byok might not re-wrap already wrapped in-base keys #685

New issue
New issue
Open
#681
Open
Azure Byok might not re-wrap already wrapped in-base keys#685
#681
@HatemMn

Description

@HatemMn
HatemMn
opened on Jan 13, 2026

On this file : https://github.com/Cosmian/kms/blob/9c11fc416581eb96ce8433dae5260b54ea394450/crate/cli/src/actions/kms/azure/byok/export_byok.rs

Line 73 :

        // Export the key wrapped with the KEK
        // export the object
        let export_params = ExportObjectParams {
            unwrap: true,
            wrapping_key_id: Some(&self.kek_id),
            allow_revoked: false,
            // rest of code
        };

However, it states here : https://github.com/Cosmian/kms/blob/3445d47eca72d39d23491d24841c7dea770489bd/crate/kms_client/src/export_utils.rs that :

#[derive(Default)]
pub struct ExportObjectParams<'a> {
    ///  Unwrap the object if it is wrapped
    pub unwrap: bool,
    ///  The wrapping key id to wrap the key, may be the PKCS#12 password. `wrapping_key_id` is ignored if `unwrap` is true
    pub wrapping_key_id: Option<&'a str>,
    /// `allow_revoked` - Allow the export of a revoked object
    pub allow_revoked: bool,
    /// `key_format_type` - The key format for export
    pub key_format_type: Option<KeyFormatType>,
    /// `encode_to_ttlv` - if wrapping, Encode the Key Material to JSON TTLV before wrapping
    pub encode_to_ttlv: bool,
    /// `cryptographic_parameters` - The cryptographic parameters for wrapping
    pub wrapping_cryptographic_parameters: Option<CryptographicParameters>,
    /// `authenticated_encryption_additional_data` - Wrapping using GCM mode, additional data used for encryption
    pub authenticated_encryption_additional_data: Option<String>,
}

So basically if someone tries to "byok" some key that has already been wrapped inside the KMS.

If he does, our KMS will (to my understanding) export the key as-is, without using the cloud provider (in this case Azure)'s KEK

And this will make decyphering fail on the other KMS

Solutions :

IMO the easiest would be to set unwrap to false, this will eliminate any possible error

Another solution would be unwrapping any previously wrapped keys before this export. This isn't hard but with can be done manually by users and I see no motive to actually do it during the BYOK operation unless asked-for

To go faster, this can be linked to #681

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions