Validate the integrity of session recordings
This feature requires HCP Boundary or Boundary Enterprise
BSR directories are validated based on the contents in the directory. Boundary cryptographically verifies each individual Boundary Session Recording (BSR) file. The keys used for verifying all Boundary Session Recording files are written to storage and wrapped by the KMS you configured. Each session recording has its own individual key. Boundary generates the following keys when a session recording is authorized:
The BSR key is a plaintext AES-GCM key. It is not uploaded to the external object store.
The private and public key pair is a ed25519 key pair. The key pair is not uploaded to the external object store.
The following files are stored in the BSR file structure to ensure the integrity of a session recording:
bsrKey.pubis the public ed25519 key.
wrappedBsrKeyis the BSR key wrapped by the external KMS AES-GCM key that you configure.
wrappedPrivKeyis the private ed25519 key wrapped by the external KMS AES-GCM key that you configure.
pubKeySelfSignature.signis a self-signature of the plaintext public ed25519 key created with its private key.
pubKeyBsrSignature.signis a signature of the plaintext public ed25519 key created with the BSR key.
SHA256SUM.sigis a signature of the plaintext
SHA256SUMfile created with the private key.
Encrypting the BSR key with an external KMS means that Boundary is not responsible for the longevity of the keys.
The Boundary admin can always use that external KMS to unwrap the
A BSR’s key is encrypted using the
go-kms-wrapping package, and therefore the encrypted BlobInfo includes the metadata required to identify the key-version used during encryption.
So if the wrapper is reinitialized properly, you can unwrap the keys even if the key has been rotated.
Each BSR directory contains a SHA256SUM and SHA256SUM.sig file that you can use to cryptographically verify the BSR directory's contents. The SHA256SUM file contains rows of file names paired with a checksum for the file contents. The SHA256SUM.sig is a copy of the SHA256SUM file, signed with the BSR's private key. Refer to the following example of a SHA256SUM file:
Follow these steps to validate a session recording:
wrappedBsrKeyusing the external KMS you configured to retrieve the BSR key.
wrappedPrivKeyusing the external KMS you configured to retrieve the private key.
- Use the BSR key or the private key to verify the
- When the key is verified, use the
bsrKey.pubkey to verify the BSR SHA256SUM file using