Use Key Provider to provide encryption key

[Dsolnik]

Would it be possible to give the key provider the option to specify the encryption key and protocols instead of just the KEK?

[stefanberger]

I am not quite sure what you mean. Is the 'encryption key' you mention the 'KEK' and now you want to choose whether to use gpg versus pkcs7/cms versus pkcs11 with that encryption key?

[lumjjb]

you should be able to make the payload anything you want and program the keyprovider to unwrap that structure and do what you want with it.

[Dsolnik]

@lumjjb, this is correct, we can do whatever we want with the annotation.

The key used to encrypt the layers is picked randomly (if none is specified on the command line) before being passed in to the ocicrypt key provider.

Ideally, I would want to have a provider for the key in addition to a provider for the KEK.

Does that make sense?

[Dsolnik]

A better name for the current key provider would be KEK provider, I'm asking for something to provide the encryption key.