Enabling quorum approval policy for a group in SDKMS prevents a single user (or administrator) to be able to access or use a highly sensitive key.
Enabling quorum approval policy on groups
A group administrator may enable a quorum approval policy on a group, which mandates that all security sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. The list of security sensitive operations include:
- Key deletion
- Key metadata update
- Key export (only when key is marked exportable)
- Encryption and decryption
- Signature generation
- Mac generation
- Wrap key
- Unwrap key
- Derive key
- AgreeKey (ECDH)
- Plugin create and update
- Get app credential (API Key/Password)
- Updating group level metadata
- Update/Delete quorum policy
Modifying the quorum approval policy would also require quorum approval.
- The quorum approval policy may be defined simply as the minimum number of approvals required among the total number of group administrators or applications for the group.
- A policy may also include specific identity of users or applications who form the quorum, and not just the size of the quorum.
- An advanced policy could be a combination of quorum rules. For example, a quorum could be defined as “one out of users A and B”; “three out of users C, D, E, F, and G”, and "two out of Apps H, I, J, K".
- A quorum policy may also include optional authentication methods for approval:
- Two-Factor authentication for approval: This option can be enabled for prompting using for additional authentication methods such as Yubikey or other U2F supported services during approval.
- Password re-entry for approval: This option can be enabled for prompting user to re-enter password during quorum approval.
Workflow for quorum approval
Whenever a sensitive operation is performed in a group enabled for quorum approval, a workflow for quorum approval is triggered.
- This involves sending notification to all users who can grant approval. This is done by sending emails, as well as generating a task in the approvers’ accounts, which they see on the dashboard as soon as they log in to their SDKMS account.
- The users can then grant approvals from the UI. The sensitive operation is blocked until the quorum is met.
- Once the quorum is met, the operation is performed, and the event is logged including the names of users who approved the request.