Project

Profile

Help

Actions
Send by e-mail Copy link

Task #8704

closed

Task #8732: [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest

Installer: create a key for pulp to use when encrypting sensitive db fields

Added by daviddavis almost 3 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
mdepaulo@redhat.com
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
3.14.0
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 98
Quarter:

Description

#8192 encrypts fields in our database using a private key. We need to have the installer generate this key. Pulp will read in this key and use it to encrypt/decrypt sensitive fields in our database.

From #8192:

The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.

Actions
Copy link
 #1

Updated by daviddavis almost 3 years ago

  • Blocks Story #8192: Add code to pulpcore that uses the db key to encrypt fields added
Actions
Copy link
 #2

Updated by daviddavis almost 3 years ago

Here's how to generate the key:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
Actions
Copy link
 #3

Updated by mdepaulo@redhat.com almost 3 years ago

  • Assignee set to mdepaulo@redhat.com
Actions
Copy link
 #4

Updated by daviddavis almost 3 years ago

  • Blocks deleted (Story #8192: Add code to pulpcore that uses the db key to encrypt fields)
Actions
Copy link
 #5

Updated by daviddavis almost 3 years ago

  • Parent issue set to #8192
Actions
Copy link
 #6

Updated by mdepaulo@redhat.com almost 3 years ago

Needs to be done by the end of sprint 97. (per daviddavis)

Actions
Copy link
 #7

Updated by rchan almost 3 years ago

  • Sprint changed from Sprint 96 to Sprint 97
Actions
Copy link
 #8

Updated by daviddavis almost 3 years ago

  • Status changed from NEW to ASSIGNED
Actions
Copy link
 #9

Updated by rchan almost 3 years ago

  • Sprint changed from Sprint 97 to Sprint 98
Actions
Copy link
 #10

Updated by pulpbot almost 3 years ago

  • Status changed from ASSIGNED to POST

Added by Mike DePaulo almost 3 years ago

Revision f196208b | View on GitHub

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Added by Mike DePaulo almost 3 years ago

Revision f196208b | View on GitHub

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Actions
Copy link
 #11

Updated by daviddavis almost 3 years ago

  • Subject changed from Create a key for pulp to use when encrypting sensitive db fields to Installer: create a key for pulp to use when encrypting sensitive db fields
Actions
Copy link
 #12

Updated by Anonymous almost 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by daviddavis almost 3 years ago

Revision 9a7291f9 | View on GitHub

Use openssl to generate db key

ref #8704

Added by daviddavis almost 3 years ago

Revision 9a7291f9 | View on GitHub

Use openssl to generate db key

ref #8704

Actions
Copy link
 #14

Updated by bmbouter almost 3 years ago

  • Sprint/Milestone set to 3.14.0

Added by William Bradford Clark almost 3 years ago

Revision b45ade85 | View on GitHub

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Added by William Bradford Clark almost 3 years ago

Revision b45ade85 | View on GitHub

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Added by William Bradford Clark almost 3 years ago

Revision e61d7fdc | View on GitHub

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark almost 3 years ago

Revision e61d7fdc | View on GitHub

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark almost 3 years ago

Revision b6e7a069 | View on GitHub

Use 0640 filemode for Fernet keyfile

refs: #8704

Added by William Bradford Clark almost 3 years ago

Revision b6e7a069 | View on GitHub

Use 0640 filemode for Fernet keyfile

refs: #8704

Actions
Copy link
 #15

Updated by bmbouter almost 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
Copy link
 #16

Updated by daviddavis over 2 years ago

  • Parent issue changed from #8192 to #8732
Actions
Send by e-mail Copy link

Also available in: Atom PDF