Project

Profile

Help

Story #8192

closed

Task #8732: [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest

Add code to pulpcore that uses the db key to encrypt fields

Added by bmbouter almost 4 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
GalaxyNG
Sprint:
Sprint 102
Quarter:
Q2-2021

Description

Motivation

Pulp stores sensitive credentials, e.g. password for Basic Auth, proxy password, or client key for client certificate based authentication in the database in plaintext. The authentication and authorization mechanisms of Pulp keep these safe, but if the database itself was compromised, or dumped, those secrets would be readable to anyone with a copy.

Proposal

Encrypt these credentials when they live in the database and decrypt them when they are used. This encryption would use symmetric encryption with a key stored on the filesystem that is generated at install time. A good option would be Fernet symmetric key encryption from the cryptography library.

Related to Story on Removing Secrets from API Response

The scope of the fields that are encrypted should be the same as those that are no longer returned in the API due to sensitivity. See Story 8202 for the list of fields.

Installation Details

The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.


Related issues

Blocked by Pulp - Task #8202: Make sensitive fields write_only and stop filtering on themCLOSED - CURRENTRELEASEdaviddavis

Actions
Actions #1

Updated by bmbouter almost 4 years ago

  • Sprint/Milestone set to 3.12.0
Actions #2

Updated by bmbouter almost 4 years ago

  • Description updated (diff)
Actions #3

Updated by bmbouter almost 4 years ago

  • Blocked by Task #8202: Make sensitive fields write_only and stop filtering on them added
Actions #4

Updated by bmbouter almost 4 years ago

  • Tags Katello added
Actions #5

Updated by bmbouter almost 4 years ago

  • Tags GalaxyNG added
  • Tags deleted (Katello)
Actions #6

Updated by mdellweg almost 4 years ago

  • Sprint/Milestone changed from 3.12.0 to 3.13.0
Actions #7

Updated by daviddavis over 3 years ago

  • Quarter set to Q2-2021
Actions #8

Updated by daviddavis over 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis
  • Sprint set to Sprint 95
Actions #9

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 95 to Sprint 96
Actions #10

Updated by pulpbot over 3 years ago

  • Status changed from ASSIGNED to POST
Actions #11

Updated by daviddavis over 3 years ago

  • Blocked by Task #8704: Installer: create a key for pulp to use when encrypting sensitive db fields added
Actions #12

Updated by daviddavis over 3 years ago

  • Sprint/Milestone deleted (3.13.0)

Hoping to still get this into 3.13 but it doesn't need to block 3.13. Confirmed with Ansible they don't need it until their next release.

Actions #13

Updated by daviddavis over 3 years ago

  • Blocked by deleted (Task #8704: Installer: create a key for pulp to use when encrypting sensitive db fields)
Actions #14

Updated by daviddavis over 3 years ago

  • Subject changed from As a user, I can rest easy with all sensitive credentials in the database encrypted at rest to [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest
Actions #15

Updated by daviddavis over 3 years ago

  • Status changed from POST to NEW
  • Assignee deleted (daviddavis)
Actions #16

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 96 to Sprint 97
Actions #17

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 97 to Sprint 98
Actions #18

Updated by mdepaulo@redhat.com over 3 years ago

The filepath will be: /etc/pulp/certs/database_fields.symmetric.key as the default path or fixed path for installer / container / operator.

We agreed (at a pulp_installer meeting I think) that the pulp certs directory would be used, since private keys for certs are kept under there, and it needs similar permissions.

We didn't agree on a filename, but we were thinking of ending with .symmetric.key ( .key is the suffix for private keys for certs.)

Actions #19

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 98 to Sprint 99
Actions #20

Updated by daviddavis over 3 years ago

  • Sprint/Milestone set to 3.15.0
Actions #21

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 99 to Sprint 100
Actions #22

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 100 to Sprint 101
Actions #23

Updated by ipanova@redhat.com over 3 years ago

  • Sprint changed from Sprint 101 to Sprint 102

Added by daviddavis over 3 years ago

Revision 38799519 | View on GitHub

Encrypt Remote fields in the database

fixes #8192

Actions #24

Updated by daviddavis over 3 years ago

  • Status changed from NEW to MODIFIED
  • % Done changed from 80 to 100
Actions #25

Updated by daviddavis over 3 years ago

  • Parent issue set to #8732
Actions #26

Updated by daviddavis over 3 years ago

  • Subject changed from [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest to Add code to pulpcore that uses the db key to encrypt fields
Actions #27

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF