GS2-Key

Encryption key management feature

GS2-Key is a service that manages encryption keys (symmetric keys) used within GS2, and provides AES-based encryption and decryption APIs.

In addition to use cases such as server-side encryption and decryption of sensitive data, it is also used as the key management foundation for various signing and encryption processes used internally by GS2 itself.

Encryption key management

In GS2-Key, encryption keys are created and managed under a namespace.

A key can hold the following information.

  • Key name
  • Description (description: used for operational identification, such as the purpose or description)

The actual secret key (the secret) used for encryption is securely generated by GS2 at the time of key creation and stored within GS2 itself. The design does not allow the secret key itself to be retrieved to the client side; rather, encryption and decryption requests are sent to GS2-Key and only the result is returned.

graph TD
  App["Application"] -->|Encrypt(plaintext)| Key["GS2-Key"]
  Key -->|Ciphertext| App
  App -->|Store on server<br/>or send| Storage["Datastore"]
  Storage -->|Ciphertext| App2["Application"]
  App2 -->|Decrypt(ciphertext)| Key
  Key -->|Plaintext| App2

Use cases

Internal use within GS2

Microservices that handle sensitive data internally, such as GS2-Account’s password signing or GS2-Auth’s token issuance, use keys managed by GS2-Key. By specifying a key when creating the namespace of each microservice, it is used for the encryption processing needed within that namespace.

Encrypting application-specific data

When your application handles sensitive information independently, you can also directly call the GS2-Key Encrypt / Decrypt APIs to perform encryption and decryption. This achieves server-side encryption without embedding the secret key in the application.

This is useful in cases where you want to safely manage highly confidential configuration values or authentication information for external services on the GS2 side.

Transaction Actions

GS2-Key does not provide transaction actions.

Master Data Management

GS2-Key does not have master data registration. Keys are created and managed via the management console, GS2-Deploy, or API.

Example Implementation

GS2-Key is a microservice centered on management / server-side APIs. No dedicated Domain class is provided in the game engine SDKs (Unity / Unreal Engine).

Key creation and Encrypt / Decrypt calls are mainly used by being referenced from GS2 internal microservices, or by being called from the server side via GS2-Script. When calling the API directly, we recommend operating via one of the following means.

  • Management console (key creation and management)
  • Template management via GS2-Deploy (managing keys as code)
  • Calling from GS2-Script (using Encrypt / Decrypt within server-side logic)
  • Calling from the backend server using general-purpose SDKs for various languages (C# / Go / Python / TypeScript / PHP / Java)
  • GS2 CLI

For details on each SDK, see the corresponding reference page.

More practical information

Key rotation

When you want to periodically rotate encryption keys according to a security policy, you can create a new key and switch subsequent encryption processing to the new key. The old key should not be deleted immediately since it is needed for decryption; we recommend keeping it until the migration of ciphertexts is complete.

Managing GitHub API keys

In addition to encryption keys, GS2-Key can store API keys used when fetching master data from GitHub. GS2-Deploy and various microservices that fetch master data can access private repositories by referencing the API key registered here.

Detailed Reference

Reference of GS2-Key