expose KMS as plugin

2025-12-08 07:10:56 +03:00 · 2021-07-16 18:22:42 +02:00
parent 776dffcf12
commit 6d313f6d8f
16 changed files with 1136 additions and 84 deletions
--- a/sdk/plugin/kms/grpc.go
+++ b/sdk/plugin/kms/grpc.go
@@ -0,0 +1,84 @@
+package kms
+
+import (
+	"context"
+	"time"
+
+	"github.com/drakkan/sftpgo/v2/sdk/plugin/kms/proto"
+)
+
+const (
+	rpcTimeout = 20 * time.Second
+)
+
+// GRPCClient is an implementation of KMS interface that talks over RPC.
+type GRPCClient struct {
+	client proto.KMSClient
+}
+
+// Encrypt implements the KMSService interface
+func (c *GRPCClient) Encrypt(payload, additionalData, URL, masterKey string) (string, string, int32, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), rpcTimeout)
+	defer cancel()
+
+	resp, err := c.client.Encrypt(ctx, &proto.EncryptRequest{
+		Payload:        payload,
+		AdditionalData: additionalData,
+		Url:            URL,
+		MasterKey:      masterKey,
+	})
+	if err != nil {
+		return "", "", 0, err
+	}
+	return resp.Payload, resp.Key, resp.Mode, nil
+}
+
+// Decrypt implements the KMSService interface
+func (c *GRPCClient) Decrypt(payload, key, additionalData string, mode int, URL, masterKey string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), rpcTimeout)
+	defer cancel()
+
+	resp, err := c.client.Decrypt(ctx, &proto.DecryptRequest{
+		Payload:        payload,
+		Key:            key,
+		AdditionalData: additionalData,
+		Mode:           int32(mode),
+		Url:            URL,
+		MasterKey:      masterKey,
+	})
+	if err != nil {
+		return "", err
+	}
+	return resp.Payload, nil
+}
+
+// GRPCServer defines the gRPC server that GRPCClient talks to.
+type GRPCServer struct {
+	Impl Service
+}
+
+// Encrypt implements the serve side encrypt method
+func (s *GRPCServer) Encrypt(ctx context.Context, req *proto.EncryptRequest) (*proto.EncryptResponse, error) {
+	payload, key, mode, err := s.Impl.Encrypt(req.Payload, req.AdditionalData, req.Url, req.MasterKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.EncryptResponse{
+		Payload: payload,
+		Key:     key,
+		Mode:    mode,
+	}, nil
+}
+
+// Decrypt implements the serve side decrypt method
+func (s *GRPCServer) Decrypt(ctx context.Context, req *proto.DecryptRequest) (*proto.DecryptResponse, error) {
+	payload, err := s.Impl.Decrypt(req.Payload, req.Key, req.AdditionalData, int(req.Mode), req.Url, req.MasterKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.DecryptResponse{
+		Payload: payload,
+	}, nil
+}
--- a/sdk/plugin/kms/kms.go
+++ b/sdk/plugin/kms/kms.go
@@ -0,0 +1,56 @@
+// Package kms defines the implementation for kms plugins.
+// KMS plugins allow to encrypt/decrypt sensitive data.
+package kms
+
+import (
+	"context"
+
+	"github.com/hashicorp/go-plugin"
+	"google.golang.org/grpc"
+
+	"github.com/drakkan/sftpgo/v2/sdk/plugin/kms/proto"
+)
+
+const (
+	// PluginName defines the name for a kms plugin
+	PluginName = "kms"
+)
+
+// Handshake is a common handshake that is shared by plugin and host.
+var Handshake = plugin.HandshakeConfig{
+	ProtocolVersion:  1,
+	MagicCookieKey:   "SFTPGO_KMS_PLUGIN",
+	MagicCookieValue: "223e3571-7ed2-4b96-b4b3-c7eb87d7ca1d",
+}
+
+// PluginMap is the map of plugins we can dispense.
+var PluginMap = map[string]plugin.Plugin{
+	PluginName: &Plugin{},
+}
+
+// Service defines the interface for kms plugins
+type Service interface {
+	Encrypt(payload, additionalData, URL, masterKey string) (string, string, int32, error)
+	Decrypt(payload, key, additionalData string, mode int, URL, masterKey string) (string, error)
+}
+
+// Plugin defines the implementation to serve/connect to a notifier plugin
+type Plugin struct {
+	plugin.Plugin
+	Impl Service
+}
+
+// GRPCServer defines the GRPC server implementation for this plugin
+func (p *Plugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error {
+	proto.RegisterKMSServer(s, &GRPCServer{
+		Impl: p.Impl,
+	})
+	return nil
+}
+
+// GRPCClient defines the GRPC client implementation for this plugin
+func (p *Plugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
+	return &GRPCClient{
+		client: proto.NewKMSClient(c),
+	}, nil
+}
--- a/sdk/plugin/kms/proto/kms.pb.go
+++ b/sdk/plugin/kms/proto/kms.pb.go
@@ -0,0 +1,559 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.17.3
+// source: kms/proto/kms.proto
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type EncryptRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Payload        string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
+	AdditionalData string `protobuf:"bytes,2,opt,name=additional_data,json=additionalData,proto3" json:"additional_data,omitempty"`
+	Url            string `protobuf:"bytes,3,opt,name=url,proto3" json:"url,omitempty"`
+	MasterKey      string `protobuf:"bytes,4,opt,name=master_key,json=masterKey,proto3" json:"master_key,omitempty"`
+}
+
+func (x *EncryptRequest) Reset() {
+	*x = EncryptRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kms_proto_kms_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EncryptRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EncryptRequest) ProtoMessage() {}
+
+func (x *EncryptRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_kms_proto_kms_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EncryptRequest.ProtoReflect.Descriptor instead.
+func (*EncryptRequest) Descriptor() ([]byte, []int) {
+	return file_kms_proto_kms_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *EncryptRequest) GetPayload() string {
+	if x != nil {
+		return x.Payload
+	}
+	return ""
+}
+
+func (x *EncryptRequest) GetAdditionalData() string {
+	if x != nil {
+		return x.AdditionalData
+	}
+	return ""
+}
+
+func (x *EncryptRequest) GetUrl() string {
+	if x != nil {
+		return x.Url
+	}
+	return ""
+}
+
+func (x *EncryptRequest) GetMasterKey() string {
+	if x != nil {
+		return x.MasterKey
+	}
+	return ""
+}
+
+type EncryptResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Payload string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
+	Key     string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+	Mode    int32  `protobuf:"varint,3,opt,name=mode,proto3" json:"mode,omitempty"`
+}
+
+func (x *EncryptResponse) Reset() {
+	*x = EncryptResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kms_proto_kms_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EncryptResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EncryptResponse) ProtoMessage() {}
+
+func (x *EncryptResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_kms_proto_kms_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EncryptResponse.ProtoReflect.Descriptor instead.
+func (*EncryptResponse) Descriptor() ([]byte, []int) {
+	return file_kms_proto_kms_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *EncryptResponse) GetPayload() string {
+	if x != nil {
+		return x.Payload
+	}
+	return ""
+}
+
+func (x *EncryptResponse) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *EncryptResponse) GetMode() int32 {
+	if x != nil {
+		return x.Mode
+	}
+	return 0
+}
+
+type DecryptRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Payload        string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
+	Key            string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+	AdditionalData string `protobuf:"bytes,3,opt,name=additional_data,json=additionalData,proto3" json:"additional_data,omitempty"`
+	Mode           int32  `protobuf:"varint,4,opt,name=mode,proto3" json:"mode,omitempty"`
+	Url            string `protobuf:"bytes,5,opt,name=url,proto3" json:"url,omitempty"`
+	MasterKey      string `protobuf:"bytes,6,opt,name=master_key,json=masterKey,proto3" json:"master_key,omitempty"`
+}
+
+func (x *DecryptRequest) Reset() {
+	*x = DecryptRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kms_proto_kms_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DecryptRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DecryptRequest) ProtoMessage() {}
+
+func (x *DecryptRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_kms_proto_kms_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DecryptRequest.ProtoReflect.Descriptor instead.
+func (*DecryptRequest) Descriptor() ([]byte, []int) {
+	return file_kms_proto_kms_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *DecryptRequest) GetPayload() string {
+	if x != nil {
+		return x.Payload
+	}
+	return ""
+}
+
+func (x *DecryptRequest) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *DecryptRequest) GetAdditionalData() string {
+	if x != nil {
+		return x.AdditionalData
+	}
+	return ""
+}
+
+func (x *DecryptRequest) GetMode() int32 {
+	if x != nil {
+		return x.Mode
+	}
+	return 0
+}
+
+func (x *DecryptRequest) GetUrl() string {
+	if x != nil {
+		return x.Url
+	}
+	return ""
+}
+
+func (x *DecryptRequest) GetMasterKey() string {
+	if x != nil {
+		return x.MasterKey
+	}
+	return ""
+}
+
+type DecryptResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Payload string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
+}
+
+func (x *DecryptResponse) Reset() {
+	*x = DecryptResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kms_proto_kms_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DecryptResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DecryptResponse) ProtoMessage() {}
+
+func (x *DecryptResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_kms_proto_kms_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DecryptResponse.ProtoReflect.Descriptor instead.
+func (*DecryptResponse) Descriptor() ([]byte, []int) {
+	return file_kms_proto_kms_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *DecryptResponse) GetPayload() string {
+	if x != nil {
+		return x.Payload
+	}
+	return ""
+}
+
+var File_kms_proto_kms_proto protoreflect.FileDescriptor
+
+var file_kms_proto_kms_proto_rawDesc = []byte{
+	0x0a, 0x13, 0x6b, 0x6d, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x84, 0x01, 0x0a,
+	0x0e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x18, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x64, 0x64,
+	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0e, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x44, 0x61,
+	0x74, 0x61, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x75, 0x72, 0x6c, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6b,
+	0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72,
+	0x4b, 0x65, 0x79, 0x22, 0x51, 0x0a, 0x0f, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
+	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
+	0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05,
+	0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0xaa, 0x01, 0x0a, 0x0e, 0x44, 0x65, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x79,
+	0x6c, 0x6f, 0x61, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c,
+	0x6f, 0x61, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f,
+	0x6e, 0x61, 0x6c, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e,
+	0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x44, 0x61, 0x74, 0x61, 0x12, 0x12,
+	0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x6d, 0x6f,
+	0x64, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x75, 0x72, 0x6c, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6b,
+	0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72,
+	0x4b, 0x65, 0x79, 0x22, 0x2b, 0x0a, 0x0f, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
+	0x32, 0x79, 0x0a, 0x03, 0x4b, 0x4d, 0x53, 0x12, 0x38, 0x0a, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x12, 0x15, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x38, 0x0a, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x12, 0x15, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x44, 0x65, 0x63, 0x72,
+	0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x16, 0x5a, 0x14, 0x73,
+	0x64, 0x6b, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f, 0x6b, 0x6d, 0x73, 0x2f, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_kms_proto_kms_proto_rawDescOnce sync.Once
+	file_kms_proto_kms_proto_rawDescData = file_kms_proto_kms_proto_rawDesc
+)
+
+func file_kms_proto_kms_proto_rawDescGZIP() []byte {
+	file_kms_proto_kms_proto_rawDescOnce.Do(func() {
+		file_kms_proto_kms_proto_rawDescData = protoimpl.X.CompressGZIP(file_kms_proto_kms_proto_rawDescData)
+	})
+	return file_kms_proto_kms_proto_rawDescData
+}
+
+var file_kms_proto_kms_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_kms_proto_kms_proto_goTypes = []interface{}{
+	(*EncryptRequest)(nil),  // 0: proto.EncryptRequest
+	(*EncryptResponse)(nil), // 1: proto.EncryptResponse
+	(*DecryptRequest)(nil),  // 2: proto.DecryptRequest
+	(*DecryptResponse)(nil), // 3: proto.DecryptResponse
+}
+var file_kms_proto_kms_proto_depIdxs = []int32{
+	0, // 0: proto.KMS.Encrypt:input_type -> proto.EncryptRequest
+	2, // 1: proto.KMS.Decrypt:input_type -> proto.DecryptRequest
+	1, // 2: proto.KMS.Encrypt:output_type -> proto.EncryptResponse
+	3, // 3: proto.KMS.Decrypt:output_type -> proto.DecryptResponse
+	2, // [2:4] is the sub-list for method output_type
+	0, // [0:2] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_kms_proto_kms_proto_init() }
+func file_kms_proto_kms_proto_init() {
+	if File_kms_proto_kms_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_kms_proto_kms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EncryptRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kms_proto_kms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EncryptResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kms_proto_kms_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DecryptRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kms_proto_kms_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DecryptResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_kms_proto_kms_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_kms_proto_kms_proto_goTypes,
+		DependencyIndexes: file_kms_proto_kms_proto_depIdxs,
+		MessageInfos:      file_kms_proto_kms_proto_msgTypes,
+	}.Build()
+	File_kms_proto_kms_proto = out.File
+	file_kms_proto_kms_proto_rawDesc = nil
+	file_kms_proto_kms_proto_goTypes = nil
+	file_kms_proto_kms_proto_depIdxs = nil
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// KMSClient is the client API for KMS service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type KMSClient interface {
+	Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error)
+	Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error)
+}
+
+type kMSClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewKMSClient(cc grpc.ClientConnInterface) KMSClient {
+	return &kMSClient{cc}
+}
+
+func (c *kMSClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) {
+	out := new(EncryptResponse)
+	err := c.cc.Invoke(ctx, "/proto.KMS/Encrypt", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *kMSClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) {
+	out := new(DecryptResponse)
+	err := c.cc.Invoke(ctx, "/proto.KMS/Decrypt", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// KMSServer is the server API for KMS service.
+type KMSServer interface {
+	Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error)
+	Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error)
+}
+
+// UnimplementedKMSServer can be embedded to have forward compatible implementations.
+type UnimplementedKMSServer struct {
+}
+
+func (*UnimplementedKMSServer) Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented")
+}
+func (*UnimplementedKMSServer) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented")
+}
+
+func RegisterKMSServer(s *grpc.Server, srv KMSServer) {
+	s.RegisterService(&_KMS_serviceDesc, srv)
+}
+
+func _KMS_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EncryptRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KMSServer).Encrypt(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/proto.KMS/Encrypt",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KMSServer).Encrypt(ctx, req.(*EncryptRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _KMS_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DecryptRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KMSServer).Decrypt(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/proto.KMS/Decrypt",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KMSServer).Decrypt(ctx, req.(*DecryptRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _KMS_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "proto.KMS",
+	HandlerType: (*KMSServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Encrypt",
+			Handler:    _KMS_Encrypt_Handler,
+		},
+		{
+			MethodName: "Decrypt",
+			Handler:    _KMS_Decrypt_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "kms/proto/kms.proto",
+}
--- a/sdk/plugin/kms/proto/kms.proto
+++ b/sdk/plugin/kms/proto/kms.proto
@@ -0,0 +1,35 @@
+syntax = "proto3";
+package proto;
+
+option go_package = "sdk/plugin/kms/proto";
+
+message EncryptRequest {
+    string payload = 1;
+    string additional_data = 2;
+    string url = 3;
+    string master_key = 4;
+}
+
+message EncryptResponse {
+    string payload = 1;
+    string key = 2;
+    int32 mode = 3;
+}
+
+message DecryptRequest {
+    string payload = 1;
+    string key = 2;
+    string additional_data = 3;
+    int32 mode = 4;
+    string url = 5;
+    string master_key = 6;
+}
+
+message DecryptResponse {
+    string payload = 1;
+}
+
+service KMS {
+    rpc Encrypt(EncryptRequest) returns (EncryptResponse);
+    rpc Decrypt(DecryptRequest) returns (DecryptResponse);
+}