-
-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AES secrets encryption #2300
AES secrets encryption #2300
Conversation
# Conflicts: # cmd/server/flags.go # cmd/server/server.go # server/store/datastore/secret.go # server/store/encryped/secret.go
# Conflicts: # server/store/encryped/secret.go
Config: WOODPECKER_ENCRYPTION_KEY: GjVHT007c4x3N+YPbsZld+hifba1enXkOzIb/0h6oW8= Test pipeline:
Logs:
DB:
Test run:
DB:
Test run:
|
server/plugins/secrets/encrypted.go
Outdated
func (ess *encryptedSecretService) decrypt(secret *model.Secret) error { | ||
log.Debug().Int64("id", secret.ID).Str("name", secret.Name).Msg("decryption") | ||
|
||
decryptedValue, err := ess.encryptionSvc.Decrypt(secret.Value, secret.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add some logic here that detects the encryption method. So it would know if a secret was encrypted using aes or maybe tink, ... And if the secret wasn't encrypted at all (before enabling the encryption) it will simply skip the decryption
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add some logic here that detects the encryption method. So it would know if a secret was encrypted using aes or maybe tink
It's overcomplicated, I think. Admin should know, what encryption he enables and set up WP accordingly. So, we know encryption method at runtime.
And if the secret wasn't encrypted at all (before enabling the encryption) it will simply skip the decryption
Then what's the point of encrypted decorator? In that case plain SecretService
should be used.
I would just get back migration logic. From plain to encrypted according to settings (AES, Tink). I'll do it in this PR.
As for more complicated migrations like AES -> Tink, Encrypted -> Plain, I would use CLI or maybe some button in admin panel. But this is out of scope of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had sth simple like this common-helper in mind which would just support decrypting plain secrets as well. It would also allow us to not do an active migration and instead do a migration on demand each time a user adds a new secrets or updates an existing one.
func decryptValue(secret *Secret) (string, string) {
if strings.HasPrefix(secret.Value, "_aes_") {
return "aes", strings.TrimPrefix(secret.Value, "_aes_")
}
return "plain", secret.Value
}
func decrypt(secret *Secret) error {
method, value := decryptValue(secret)
if method == "plain" {
// do nothing
} else if method == "aes" {
// do aes stuff
value, err := aesMagic(value)
secret.Value = value
return err
}
return fmt.Errorf("unknown secret encryption method")
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added encoding/decoding as you sad. At least it looks more readable in DB.
not do an active migration and instead do a migration on demand each time a user adds a new secrets or updates an existing one
However, as an administrator I prefer active migration. I schedule time to evaluate new feature and then to roll it out. And I would do it carefully under my control. I would not want to have issues month later after enabling the feature.
Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-2300.surge.sh |
well before we merge we have to make sure migration of non encrypted and back and mix in-between works properly ... we had to deactivate it by code last time :/ |
FilePath: os.Getenv("WOODPECKER_ENCRYPTION_KEY_FILE"), | ||
}, | ||
&cli.StringFlag{ | ||
EnvVars: []string{"WOODPECKER_ENCRYPTION_TINK_KEYSET_FILE"}, | ||
Name: "encryption-tink-keyset", | ||
Usage: "Google tink AEAD-compatible keyset file to encrypt secrets in DB", | ||
}, | ||
&cli.BoolFlag{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there should be an option to revert encryption back to unencrypted ... we could add a warning if that's really the intended case ... but we should have it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sure migration of non encrypted and back
Done
mix in-between
This can be achieved via disabling encryption. For example, Plain -> AES -> Plain -> Tink. I would leave it like that, for this PR at least.
f555fa1
to
f4ef1e8
Compare
- secret's value encoding/decoding - public encryption service - encryption modes - migrations
Sorry for pretty long delay. Have been some traveling. There are tests of encryption / decryption below:
|
Considering that the Encryption Documentation was complete remove do we have to assume that this feature is killed? We really like to see encryption. Is there something we can do to can help? |
In regard to this PR, I would rework "migration" from env vars hack to CLI command and/or UI button <- requires API. For plain->encrypted direction the flow can be
But there were thoughts about external secrets providers and addons story => this might not suit the "core". |
Didn't know, that deleting a branch closes PR... Anyway, code is here, someone can continue the work. |
PR enables AES secrets encryption.
It consist of #1475, #1544. Part of #1541 and #1814.
SecretService
instead ofSecretStore