Do not generate an ephemeral encryption key in production. #81511
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
release_note:fix
Team:Security
This was referenced Dec 31, 2020
azasypkin
force-pushed
the
issue-xxx-optional-eso
branch
from
1867d85 to
48c4da0
Compare
azasypkin
force-pushed
the
issue-xxx-optional-eso
branch
2 times, most recently
from
045755d to
6fb6495
Compare
azasypkin
changed the title
azasypkin
force-pushed
the
issue-xxx-optional-eso
branch
from
6fb6495 to
28a6846
Compare
azasypkin
commented
Feb 9, 2021
| @@ -4,14 +4,13 @@ | |||
| "server": true, | |||
| "ui": true, | |||
| "configPath": ["xpack", "fleet"], | |||
| "requiredPlugins": ["licensing", "data"], | |||
| "requiredPlugins": ["licensing", "data", "encryptedSavedObjects"], | |||
There was a problem hiding this comment.
note: for 7.12 we decided to not disable plugin automatically and since you still depend SO migrations it makes sense to keep this as a required dependency for now. Let me know if you have any concerns.
There was a problem hiding this comment.
Make sense 👍 and we will fix our SO migration
|
Pinging @elastic/kibana-security (Team:Security) |
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
YulNaumenko
approved these changes
Feb 9, 2021
chrisronline
approved these changes
Feb 9, 2021
legrego
approved these changes
Feb 9, 2021
| @@ -26,8 +25,8 @@ export interface PluginsSetup { | |||
| } | |||
|
|
|||
| export interface EncryptedSavedObjectsPluginSetup { | |||
| canEncrypt: boolean; | |||
There was a problem hiding this comment.
optional It's probably a good idea to start documenting our public interface
Suggested change
| canEncrypt: boolean; | |
| /** Indicates if Saved Object encryption is possible. Requires an encryption key to be explicitly set via `xpack.encryptedSavedObjects.encryptionKey`. */ | |
| canEncrypt: boolean; |
There was a problem hiding this comment.
Definitely agree, thanks!
| @@ -32,6 +29,17 @@ describe('config schema', () => { | |||
| } | |||
| `); | |||
|
|
|||
| expect(ConfigSchema.validate({ encryptionKey: 'z'.repeat(32) }, { dist: true })) | |||
There was a problem hiding this comment.
I know that this is probably "testing the library", but would you mind adding a test to ensure that encryptionKey cannot be null when dist: true? Plugin code checks that the key isn't undefined, but if schema.maybe() ever allowed null, then we would incorrectly assume that an encryption key was set.
There was a problem hiding this comment.
Good idea, will add, thanks
FrankHassanabad
approved these changes
Feb 9, 2021
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
|
7.x/7.12.0: fc4beaf |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Feb 10, 2021
* master: (99 commits) [Fleet] Use Fleet Server indices in the search bar (elastic#90835) [Search Sessions] added an info flyout to session management (elastic#90559) [ILM] Revisit searchable snapshot field after new redesign (elastic#90793) [Alerting] License Errors on Alert List View (elastic#89920) RFC Improve saved object migrations algorithm (elastic#84333) [Lens] (Accessibility) Fix focus on drag and drop actions (elastic#90561) Use new shortcut links to Fleet discuss forums. (elastic#90786) Do not generate an ephemeral encryption key in production. (elastic#81511) [Fleet] Use staging registry for snapshot builds (elastic#90327) Actually deleting x-pack/tsconfig.refs.json (elastic#90898) Add deprecation warning to all Beats CM pages. (elastic#90741) skip flaky suite (elastic#90136) Revert "Revert "[Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244)"" (elastic#90889) remove ref to removed tsconfig file [core.logging] Uses host timezone as default (elastic#90368) [Maps] remove maps_file_upload plugin and fold public folder into file_upload plugin (elastic#90292) Revert "[Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244)" [dev-utils/ci-stats] support disabling ship errors (elastic#90851) Prefix with / (elastic#90836) [Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently we generate a random encryption key if it's not specified by default when Kibana is run in production setup (
dist === true). After this PR we won't be automatically generating a random key in production in case it's not explicitly specified. We're also exposingcanEncryptproperty in thesetupcontract to help consumers figure out if ESO is able to perform encryption\decryption or not (instead ofusingEphemeralEncryptionKey).Note to reviewers: we initially planned to disable ESO plugin if encryption key isn't specified, but we later figured out that it can introduce non-trivial issues with Saved Objects migrations, so we decided not to do that for now.
Fixes: #79943
Release note
Previously Kibana was mistakenly allowed to perform a number of operations (e.g. migrations) with Saved Objects (alerts, actions etc.) using the ephemeral encryption key that's automatically generated when
xpack.encryptedSavedObjects.encryptionKeyisn't specified. This could potentially lead to a data-loss since ephemeral key is lost after restart. It's no longer the case with this fix.