Project

Profile

Help

Task #8704

closed

Task #8732: [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest

Installer: create a key for pulp to use when encrypting sensitive db fields

Added by daviddavis over 1 year ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 98
Quarter:

Description

#8192 encrypts fields in our database using a private key. We need to have the installer generate this key. Pulp will read in this key and use it to encrypt/decrypt sensitive fields in our database.

From #8192:

The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.

Actions #1

Updated by daviddavis over 1 year ago

  • Blocks Story #8192: Add code to pulpcore that uses the db key to encrypt fields added
Actions #2

Updated by daviddavis over 1 year ago

Here's how to generate the key:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
Actions #3

Updated by mdepaulo@redhat.com over 1 year ago

  • Assignee set to mdepaulo@redhat.com
Actions #4

Updated by daviddavis over 1 year ago

  • Blocks deleted (Story #8192: Add code to pulpcore that uses the db key to encrypt fields)
Actions #5

Updated by daviddavis over 1 year ago

  • Parent task set to #8192
Actions #6

Updated by mdepaulo@redhat.com over 1 year ago

Needs to be done by the end of sprint 97. (per daviddavis)

Actions #7

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 96 to Sprint 97
Actions #8

Updated by daviddavis over 1 year ago

  • Status changed from NEW to ASSIGNED
Actions #9

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 97 to Sprint 98
Actions #10

Updated by pulpbot over 1 year ago

  • Status changed from ASSIGNED to POST

Added by Mike DePaulo over 1 year ago

Revision f196208b

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Added by Mike DePaulo over 1 year ago

Revision f196208b

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Actions #11

Updated by daviddavis over 1 year ago

  • Subject changed from Create a key for pulp to use when encrypting sensitive db fields to Installer: create a key for pulp to use when encrypting sensitive db fields
Actions #12

Updated by Anonymous over 1 year ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by daviddavis over 1 year ago

Revision 9a7291f9

Use openssl to generate db key

ref #8704

Added by daviddavis over 1 year ago

Revision 9a7291f9

Use openssl to generate db key

ref #8704

Actions #14

Updated by bmbouter over 1 year ago

  • Sprint/Milestone set to 3.14.0

Added by William Bradford Clark over 1 year ago

Revision b45ade85

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Added by William Bradford Clark over 1 year ago

Revision b45ade85

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Added by William Bradford Clark over 1 year ago

Revision e61d7fdc

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark over 1 year ago

Revision e61d7fdc

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark over 1 year ago

Revision b6e7a069

Use 0640 filemode for Fernet keyfile

refs: #8704

Added by William Bradford Clark over 1 year ago

Revision b6e7a069

Use 0640 filemode for Fernet keyfile

refs: #8704

Actions #15

Updated by bmbouter over 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions #16

Updated by daviddavis over 1 year ago

  • Parent task changed from #8192 to #8732

Also available in: Atom PDF