Vault Integration with Dgraph

chunker/chunk.go

@@ -349,10 +349,10 @@ func slurpQuoted(r *bufio.Reader, out *bytes.Buffer) error {
 }
 
 // FileReader returns an open reader on the given file. Gzip-compressed input is detected
-// and decompressed automatically even without the gz extension. The keyfile, if non-nil,
+// and decompressed automatically even without the gz extension. The key, if non-nil,
 // is used to decrypt the file. The caller is responsible for calling the returned cleanup
 // function when done with the reader.
-func FileReader(file string, keyfile string) (rd *bufio.Reader, cleanup func()) {
+func FileReader(file string, key []byte) (rd *bufio.Reader, cleanup func()) {
 	var f *os.File
 	var err error
 	if file == "-" {
@@ -366,7 +366,7 @@ func FileReader(file string, keyfile string) (rd *bufio.Reader, cleanup func())
 	cleanup = func() { _ = f.Close() }
 
 	if filepath.Ext(file) == ".gz" {
-		r, err := enc.GetReader(keyfile, f)
+		r, err := enc.GetReader(key, f)
 		x.Check(err)
 		gzr, err := gzip.NewReader(r)
 		x.Check(err)

dgraph/cmd/alpha/run.go

@@ -115,10 +115,7 @@ they form a Raft group and provide synchronous replication.
 			" mmap consumes more RAM, but provides better performance.")
 	flag.Int("badger.compression_level", 3,
 		"The compression level for Badger. A higher value uses more resources.")
-	flag.String("encryption_key_file", "",
-		"The file that stores the encryption key. The key size must be 16, 24, or 32 bytes long. "+
-			"The key size determines the corresponding block size for AES encryption "+
-			"(AES-128, AES-192, and AES-256 respectively). Enterprise feature.")
+	enc.RegisterFlags(flag)
 
 	// Snapshot and Transactions.
 	flag.Int("snapshot_after", 10000,
@@ -552,6 +549,7 @@ func setupServer(closer *y.Closer) {
 }
 
 func run() {
+	var err error
 	if Alpha.Conf.GetBool("enable_sentry") {
 		x.InitSentry(enc.EeBuild)
 		defer x.FlushSentry()
@@ -563,20 +561,27 @@ func run() {
 	opts := worker.Options{
 		BadgerTables:           Alpha.Conf.GetString("badger.tables"),
 		BadgerVlog:             Alpha.Conf.GetString("badger.vlog"),
-		BadgerKeyFile:          Alpha.Conf.GetString("encryption_key_file"),
 		BadgerCompressionLevel: Alpha.Conf.GetInt("badger.compression_level"),
-
-		PostingDir: Alpha.Conf.GetString("postings"),
-		WALDir:     Alpha.Conf.GetString("wal"),
+		PostingDir:             Alpha.Conf.GetString("postings"),
+		WALDir:                 Alpha.Conf.GetString("wal"),
 
 		MutationsMode:  worker.AllowMutations,
 		AuthToken:      Alpha.Conf.GetString("auth_token"),
 		AllottedMemory: Alpha.Conf.GetFloat64("lru_mb"),
 	}
 
-	// OSS, non-nil key file --> crash
-	if !enc.EeBuild && opts.BadgerKeyFile != "" {
-		glog.Fatalf("Cannot enable encryption: %s", x.ErrNotSupported)
+	var kr enc.KeyReader
+	if kr, err = enc.NewKeyReader(Alpha.Conf); err != nil {
+		glog.Errorf("error: %v", err)
+		return
+	}
+	// kR can be nil for the no-encryption scenario.
+	var key x.SensitiveByteSlice
+	if kr != nil {
+		if key, err = kr.ReadKey(); err != nil {
+			glog.Errorf("error: %v", err)
+			return
+		}
 	}
 
 	secretFile := Alpha.Conf.GetString("acl_secret_file")
@@ -632,7 +637,7 @@ func run() {
 		AbortOlderThan:      abortDur,
 		StartTime:           startTime,
 		LudicrousMode:       Alpha.Conf.GetBool("ludicrous_mode"),
-		BadgerKeyFile:       worker.Config.BadgerKeyFile,
+		EncryptionKey:       key,
 	}
 
 	setupCustomTokenizers()

dgraph/cmd/bulk/loader.go

@@ -71,8 +71,8 @@ type options struct {
 	shardOutputDirs []string
 
 	// ........... Badger options ..........
-	// BadgerKeyFile is the file containing the key used for encryption. Enterprise only feature.
-	BadgerKeyFile string
+	// EncryptionKey is the key used for encryption. Enterprise only feature.
+	EncryptionKey x.SensitiveByteSlice
 	// BadgerCompressionlevel is the compression level to use while writing to badger.
 	BadgerCompressionLevel int
 }
@@ -149,11 +149,11 @@ func readSchema(opt *options) *schema.ParsedSchema {
 	x.Check(err)
 	defer f.Close()
 
-	keyfile := opt.BadgerKeyFile
+	key := opt.EncryptionKey
 	if !opt.Encrypted {
-		keyfile = ""
+		key = nil
 	}
-	r, err := enc.GetReader(keyfile, f)
+	r, err := enc.GetReader(key, f)
 	x.Check(err)
 	if filepath.Ext(opt.SchemaFile) == ".gz" {
 		r, err = gzip.NewReader(r)
@@ -214,11 +214,11 @@ func (ld *loader) mapStage() {
 		go func(file string) {
 			defer thr.Done(nil)
 
-			keyfile := ld.opt.BadgerKeyFile
+			key := ld.opt.EncryptionKey
 			if !ld.opt.Encrypted {
-				keyfile = ""
+				key = nil
 			}
-			r, cleanup := chunker.FileReader(file, keyfile)
+			r, cleanup := chunker.FileReader(file, key)
 			defer cleanup()
 
 			chunk := chunker.NewChunker(loadType, 1000)

dgraph/cmd/bulk/reduce.go

@@ -37,7 +37,6 @@ import (
 	bpb "github.com/dgraph-io/badger/v2/pb"
 	"github.com/dgraph-io/badger/v2/y"
 	"github.com/dgraph-io/dgraph/codec"
-	"github.com/dgraph-io/dgraph/ee/enc"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/protos/pb"
 	"github.com/dgraph-io/dgraph/worker"
@@ -103,22 +102,22 @@ func (r *reducer) run() error {
 }
 
 func (r *reducer) createBadger(i int) *badger.DB {
-	if r.opt.BadgerKeyFile != "" {
+	if r.opt.EncryptionKey != nil {
 		// Need to set zero addr in WorkerConfig before checking the license.
 		x.WorkerConfig.ZeroAddr = []string{r.opt.ZeroAddr}
 
 		if !worker.EnterpriseEnabled() {
 			// Crash since the enterprise license is not enabled..
 			log.Fatal("Enterprise License needed for the Encryption feature.")
 		} else {
-			log.Printf("Encryption feature enabled. Using encryption key file: %v", r.opt.BadgerKeyFile)
+			log.Printf("Encryption feature enabled.")
 		}
 	}
 
 	opt := badger.DefaultOptions(r.opt.shardOutputDirs[i]).WithSyncWrites(false).
 		WithTableLoadingMode(bo.MemoryMap).WithValueThreshold(1 << 10 /* 1 KB */).
 		WithLogger(nil).WithMaxCacheSize(1 << 20).
-		WithEncryptionKey(enc.ReadEncryptionKeyFile(r.opt.BadgerKeyFile)).WithCompression(bo.None)
+		WithEncryptionKey(r.opt.EncryptionKey).WithCompression(bo.None)
 
 	// Overwrite badger options based on the options provided by the user.
 	r.setBadgerOptions(&opt)

dgraph/cmd/bulk/run.go

@@ -113,30 +113,28 @@ func init() {
 
 func run() {
 	opt := options{
-		DataFiles:        Bulk.Conf.GetString("files"),
-		DataFormat:       Bulk.Conf.GetString("format"),
-		SchemaFile:       Bulk.Conf.GetString("schema"),
-		Encrypted:        Bulk.Conf.GetBool("encrypted"),
-		OutDir:           Bulk.Conf.GetString("out"),
-		ReplaceOutDir:    Bulk.Conf.GetBool("replace_out"),
-		TmpDir:           Bulk.Conf.GetString("tmp"),
-		NumGoroutines:    Bulk.Conf.GetInt("num_go_routines"),
-		MapBufSize:       uint64(Bulk.Conf.GetInt("mapoutput_mb")),
-		SkipMapPhase:     Bulk.Conf.GetBool("skip_map_phase"),
-		CleanupTmp:       Bulk.Conf.GetBool("cleanup_tmp"),
-		NumReducers:      Bulk.Conf.GetInt("reducers"),
-		Version:          Bulk.Conf.GetBool("version"),
-		StoreXids:        Bulk.Conf.GetBool("store_xids"),
-		ZeroAddr:         Bulk.Conf.GetString("zero"),
-		HttpAddr:         Bulk.Conf.GetString("http"),
-		IgnoreErrors:     Bulk.Conf.GetBool("ignore_errors"),
-		MapShards:        Bulk.Conf.GetInt("map_shards"),
-		ReduceShards:     Bulk.Conf.GetInt("reduce_shards"),
-		CustomTokenizers: Bulk.Conf.GetString("custom_tokenizers"),
-		NewUids:          Bulk.Conf.GetBool("new_uids"),
-		ClientDir:        Bulk.Conf.GetString("xidmap"),
-
-		BadgerKeyFile:          Bulk.Conf.GetString("encryption_key_file"),
+		DataFiles:              Bulk.Conf.GetString("files"),
+		DataFormat:             Bulk.Conf.GetString("format"),
+		SchemaFile:             Bulk.Conf.GetString("schema"),
+		Encrypted:              Bulk.Conf.GetBool("encrypted"),
+		OutDir:                 Bulk.Conf.GetString("out"),
+		ReplaceOutDir:          Bulk.Conf.GetBool("replace_out"),
+		TmpDir:                 Bulk.Conf.GetString("tmp"),
+		NumGoroutines:          Bulk.Conf.GetInt("num_go_routines"),
+		MapBufSize:             uint64(Bulk.Conf.GetInt("mapoutput_mb")),
+		SkipMapPhase:           Bulk.Conf.GetBool("skip_map_phase"),
+		CleanupTmp:             Bulk.Conf.GetBool("cleanup_tmp"),
+		NumReducers:            Bulk.Conf.GetInt("reducers"),
+		Version:                Bulk.Conf.GetBool("version"),
+		StoreXids:              Bulk.Conf.GetBool("store_xids"),
+		ZeroAddr:               Bulk.Conf.GetString("zero"),
+		HttpAddr:               Bulk.Conf.GetString("http"),
+		IgnoreErrors:           Bulk.Conf.GetBool("ignore_errors"),
+		MapShards:              Bulk.Conf.GetInt("map_shards"),
+		ReduceShards:           Bulk.Conf.GetInt("reduce_shards"),
+		CustomTokenizers:       Bulk.Conf.GetString("custom_tokenizers"),
+		NewUids:                Bulk.Conf.GetBool("new_uids"),
+		ClientDir:              Bulk.Conf.GetString("xidmap"),
 		BadgerCompressionLevel: Bulk.Conf.GetInt("badger.compression_level"),
 	}
 
@@ -145,14 +143,16 @@ func run() {
 		os.Exit(0)
 	}
 	// OSS, non-nil key file --> crash
-	if !enc.EeBuild && opt.BadgerKeyFile != "" {
+	keyfile := Bulk.Conf.GetString("encryption_key_file")
+	if !enc.EeBuild && keyfile != "" {
 		fmt.Printf("Cannot enable encryption: %s", x.ErrNotSupported)
 		os.Exit(1)
 	}
-	if opt.Encrypted && opt.BadgerKeyFile == "" {
+	if opt.Encrypted && keyfile == "" {
 		fmt.Printf("Must use --encryption_key_file option with --encrypted option.\n")
 		os.Exit(1)
 	}
+	opt.EncryptionKey = enc.ReadEncryptionKeyFile(keyfile)
 	if opt.SchemaFile == "" {
 		fmt.Fprint(os.Stderr, "Schema file must be specified.\n")
 		os.Exit(1)
@@ -191,10 +191,13 @@ func run() {
 
 	opt.MapBufSize <<= 20 // Convert from MB to B.
 
+	// Copy key to local
+	key := opt.EncryptionKey
+	opt.EncryptionKey = nil
 	optBuf, err := json.MarshalIndent(&opt, "", "\t")
 	x.Check(err)
 	fmt.Println(string(optBuf))
-
+	opt.EncryptionKey = key
 	maxOpenFilesWarning()
 
 	go func() {

dgraph/cmd/debug/run.go

@@ -56,7 +56,7 @@ type flagOptions struct {
 	readTs        uint64
 	sizeHistogram bool
 	noKeys        bool
-	badgerKeyFile string
+	keyFile       string
 
 	// Options related to the WAL.
 	wdir           string
@@ -87,7 +87,7 @@ func init() {
 	flag.StringVarP(&opt.pdir, "postings", "p", "", "Directory where posting lists are stored.")
 	flag.BoolVar(&opt.sizeHistogram, "histogram", false,
 		"Show a histogram of the key and value sizes.")
-	flag.StringVarP(&opt.badgerKeyFile, "encryption_key_file", "k", "",
+	flag.StringVarP(&opt.keyFile, "encryption_key_file", "k", "",
 		"File where the encryption key is stored.")
 
 	flag.StringVarP(&opt.wdir, "wal", "w", "", "Directory where Raft write-ahead logs are stored.")
@@ -767,7 +767,7 @@ func run() {
 	}
 	bopts := badger.DefaultOptions(dir).
 		WithTableLoadingMode(options.MemoryMap).
-		WithReadOnly(opt.readOnly).WithEncryptionKey(enc.ReadEncryptionKeyFile(opt.badgerKeyFile))
+		WithReadOnly(opt.readOnly).WithEncryptionKey(enc.ReadEncryptionKeyFile(opt.keyFile))
 
 	// TODO(Ibrahim): Remove this once badger is updated.
 	bopts.ZSTDCompressionLevel = 1

dgraph/cmd/live/run.go

@@ -187,7 +187,7 @@ func processSchemaFile(ctx context.Context, file string, keyfile string,
 	x.CheckfNoTrace(err)
 	defer f.Close()
 
-	reader, err := enc.GetReader(keyfile, f)
+	reader, err := enc.GetReader(enc.ReadEncryptionKeyFile(keyfile), f)
 	x.Check(err)
 	if strings.HasSuffix(strings.ToLower(file), ".gz") {
 		reader, err = gzip.NewReader(reader)
@@ -252,7 +252,7 @@ func (l *loader) allocateUids(nqs []*api.NQuad) {
 func (l *loader) processFile(ctx context.Context, filename string, keyfile string) error {
 	fmt.Printf("Processing data file %q\n", filename)
 
-	rd, cleanup := chunker.FileReader(filename, keyfile)
+	rd, cleanup := chunker.FileReader(filename, enc.ReadEncryptionKeyFile(keyfile))
 	defer cleanup()
 
 	loadType := chunker.DataFormat(filename, opt.dataFormat)

dgraph/cmd/zero/run.go

@@ -235,9 +235,6 @@ func run() {
 	go x.RunVlogGC(kv, gcCloser)
 	defer gcCloser.SignalAndWait()
 
-	// zero out from memory
-	kvOpt.EncryptionKey = nil
-
 	store := raftwal.Init(kv, opts.nodeId, 0)
 
 	// Initialize the servers.

dgraph/docker-compose.yml

@@ -69,7 +69,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:
@@ -96,7 +96,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:
@@ -123,7 +123,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:
@@ -150,7 +150,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:
@@ -177,7 +177,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:
@@ -204,7 +204,7 @@ services:
         target: /dgraph-acl/hmac-secret
         read_only: true
       - type: bind
-        source: ../ee/enc/enc-key
+        source: ../ee/enc/test-fixtures/enc-key
         target: /dgraph-enc/enc-key
         read_only: true
     ports:

ee/enc/test-fixtures/bad-length-enc-key

@@ -0,0 +1 @@
+123

ee/enc/test-fixtures/dgraph.hcl

@@ -0,0 +1,6 @@
+path "secret/dgraph" {
+ capabilities = ["read", "list"]
+}
+path "secret/data/dgraph" {
+ capabilities = ["read", "list"]
+}

ee/enc/test-fixtures/dummy_role_id_file

@@ -0,0 +1 @@
+dummyRoleIDFile

ee/enc/test-fixtures/dummy_secret_id_file

@@ -0,0 +1 @@
+dummySecretIDFile

ee/enc/test-fixtures/enc-key

@@ -0,0 +1 @@
+1234567890123456