Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DB encryption key loaded incorrectly in DB migration #3908

Closed
xandroc opened this issue Jul 30, 2024 · 0 comments · Fixed by #3928
Closed

DB encryption key loaded incorrectly in DB migration #3908

xandroc opened this issue Jul 30, 2024 · 0 comments · Fixed by #3928

Comments

@xandroc
Copy link
Contributor

xandroc commented Jul 30, 2024

Thanks for submitting an issue to cloud_controller_ng. We are always trying to improve! To help us, please fill out the following template.

Issue

db.rake and dbmigrator use old method of loading the db encryption key.

VCAP::CloudController::Encryptor.db_encryption_key = RakeConfig.config.get(:db_encryption_key)

Context

To ensure full db encryption key setup db key load should happen like it does in, @config.configure_components should be called on db connection.

      Encryptor.db_encryption_key = get(:db_encryption_key)

      if get(:database_encryption)
        Encryptor.database_encryption_keys = get(:database_encryption)[:keys]
        Encryptor.current_encryption_key_label = get(:database_encryption)[:current_key_label]
        Encryptor.pbkdf2_hmac_iterations = get(:database_encryption)[:pbkdf2_hmac_iterations]
      end

@Samze discovered this here, verified by @tcdowney, details in link

Steps to Reproduce

Expected result

Update db.rake and dbmigrator to use correct db encryption setup

Current result

Deprecated way of loading key is used

[include relevant logs]

Possible Fix

A helper method def load_db_encryption_key was included in config as part of the PR where this issue was found that can be used to set up db encryption.

name of issue screenshot

[if relevant, include a screenshot]
Samze added a commit that referenced this issue Aug 9, 2024
@Samze
Fix rake task encryption keys loading
1d8d392 
Currently we only load from the old decrepcated method of encryption keys. This
fixes this to use all encrytpion key methods specified in
https://github.com/cloudfoundry/capi-release/blob/develop/jobs/cloud_controller_ng/spec#L773-L782.

fixes #3908
@Samze Samze mentioned this issue Aug 9, 2024
Merged
5 tasks
@Samze Samze closed this as completed in 244ff5a Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix db encryption key loading cloudfoundry/cloud_controller_ng
1 participant
@xandroc