I'm investigating possibility to offload SSL to GCP Cloud KMS. If we look at a guide https://cloud.google.com/kms/docs/reference/pkcs11-nginx we can see that asymmetric-signing key is created in KMS.
gcloud kms keys create nginx-key --keyring "KEYRING" --project "PROJECT" \
--location "LOCATION" --purpose "asymmetric-signing" \
--default-algorithm "ec-sign-p256-sha256" --protection-level "hsm"
Then this signing key is used in NGINX:
ssl_certificate "/etc/ssl/nginx/ca.cert";
ssl_certificate_key "engine:pkcs11:pkcs11:object=nginx-key";
The questing is how decryption is done in SSL flow if we use only signing key that can't do decryption?
Thanks!
As can be seen ecliptic curve signing is used. So, there is no decryption of symmetric secret during SSL handshake because Diffie–Hellman key exchange schema is used.