Validate the integrity of session recordings
This feature requires HCP Boundary or Boundary Enterprise
BSR directories are validated based on the contents in the directory. Boundary cryptographically verifies each individual Boundary Session Recording (BSR) file. The keys used for verifying all Boundary Session Recording files are written to storage and wrapped by the KMS you configured. Each session recording has its own individual key. Boundary generates the following keys when a session recording is authorized:
The BSR key is a plaintext AES-GCM key. It is not uploaded to the external object store.
The private and public key pair is a ed25519 key pair. The key pair is not uploaded to the external object store.
The following files are stored in the BSR file structure to ensure the integrity of a session recording:
bsrKey.pub
is the public ed25519 key.wrappedBsrKey
is the BSR key wrapped by the external KMS AES-GCM key that you configure.wrappedPrivKey
is the private ed25519 key wrapped by the external KMS AES-GCM key that you configure.pubKeySelfSignature.sign
is a self-signature of the plaintext public ed25519 key created with its private key.pubKeyBsrSignature.sign
is a signature of the plaintext public ed25519 key created with the BSR key.SHA256SUM.sig
is a signature of the plaintextSHA256SUM
file created with the private key.
Encrypting the BSR key with an external KMS means that Boundary is not responsible for the longevity of the keys.
The Boundary admin can always use that external KMS to unwrap the wrappedBsrKey
and wrappedPrivKey
.
A BSR’s key is encrypted using the go-kms-wrapping
package, and therefore the encrypted BlobInfo includes the metadata required to identify the key-version used during encryption.
So if the wrapper is reinitialized properly, you can unwrap the keys even if the key has been rotated.
Each BSR directory contains a SHA256SUM and SHA256SUM.sig file that you can use to cryptographically verify the BSR directory's contents. The SHA256SUM file contains rows of file names paired with a checksum for the file contents. The SHA256SUM.sig is a copy of the SHA256SUM file, signed with the BSR's private key. Refer to the following example of a SHA256SUM file:
Follow these steps to validate a session recording:
- Unwrap
wrappedBsrKey
using the external KMS you configured to retrieve the BSR key. - Unwrap
wrappedPrivKey
using the external KMS you configured to retrieve the private key. - Use the BSR key or the private key to verify the
bsrKey.pub
key usinggo-kms-wrapping
HmacSha256(...). - When the key is verified, use the
bsrKey.pub
key to verify the BSR SHA256SUM file usinggo-kms-wrapping
ed25519.Sign(...).