Project

Profile

Help

Task #8704

Task #8732: [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest

Installer: create a key for pulp to use when encrypting sensitive db fields

Added by daviddavis 6 months ago. Updated 3 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 98
Quarter:

Description

#8192 encrypts fields in our database using a private key. We need to have the installer generate this key. Pulp will read in this key and use it to encrypt/decrypt sensitive fields in our database.

From #8192:

The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.

Associated revisions

Revision f196208b View on GitHub
Added by Mike DePaulo 5 months ago

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Revision f196208b View on GitHub
Added by Mike DePaulo 5 months ago

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Revision 9a7291f9 View on GitHub
Added by daviddavis 5 months ago

Use openssl to generate db key

ref #8704

Revision 9a7291f9 View on GitHub
Added by daviddavis 5 months ago

Use openssl to generate db key

ref #8704

Revision b45ade85 View on GitHub
Added by William Bradford Clark 4 months ago

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Revision b45ade85 View on GitHub
Added by William Bradford Clark 4 months ago

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Revision e61d7fdc View on GitHub
Added by William Bradford Clark 4 months ago

Fix typo in pulp_db_fields_key documentation

refs: #8704

Revision e61d7fdc View on GitHub
Added by William Bradford Clark 4 months ago

Fix typo in pulp_db_fields_key documentation

refs: #8704

Revision b6e7a069 View on GitHub
Added by William Bradford Clark 4 months ago

Use 0640 filemode for Fernet keyfile

refs: #8704

Revision b6e7a069 View on GitHub
Added by William Bradford Clark 4 months ago

Use 0640 filemode for Fernet keyfile

refs: #8704

History

#1 Updated by daviddavis 6 months ago

  • Blocks Story #8192: Add code to pulpcore that uses the db key to encrypt fields added

#2 Updated by daviddavis 6 months ago

Here's how to generate the key:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64

#3 Updated by mdepaulo@redhat.com 6 months ago

  • Assignee set to mdepaulo@redhat.com

#4 Updated by daviddavis 6 months ago

  • Blocks deleted (Story #8192: Add code to pulpcore that uses the db key to encrypt fields)

#5 Updated by daviddavis 6 months ago

  • Parent task set to #8192

#6 Updated by mdepaulo@redhat.com 6 months ago

Needs to be done by the end of sprint 97. (per daviddavis)

#7 Updated by rchan 5 months ago

  • Sprint changed from Sprint 96 to Sprint 97

#8 Updated by daviddavis 5 months ago

  • Status changed from NEW to ASSIGNED

#9 Updated by rchan 5 months ago

  • Sprint changed from Sprint 97 to Sprint 98

#10 Updated by pulpbot 5 months ago

  • Status changed from ASSIGNED to POST

#11 Updated by daviddavis 5 months ago

  • Subject changed from Create a key for pulp to use when encrypting sensitive db fields to Installer: create a key for pulp to use when encrypting sensitive db fields

#12 Updated by Anonymous 5 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#14 Updated by bmbouter 4 months ago

  • Sprint/Milestone set to 3.14.0

#15 Updated by bmbouter 4 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

#16 Updated by daviddavis 3 months ago

  • Parent task changed from #8192 to #8732

Please register to edit this issue

Also available in: Atom PDF