Task #8704: Installer: create a key for pulp to use when encrypting sensitive db fields - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Task #8704

closed

Task #8732: [EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest

Installer: create a key for pulp to use when encrypting sensitive db fields

Added by daviddavis over 3 years ago. Updated over 3 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

mdepaulo@redhat.com

Category:

Installer - Moved to GitHub issues

Sprint/Milestone:

3.14.0

Start date:

Due date:

% Done:

100%

Estimated time:

Platform Release:

Groomed:

Sprint Candidate:

Tags:

Sprint:

Sprint 98

Quarter:

Description

#8192 encrypts fields in our database using a private key. We need to have the installer generate this key. Pulp will read in this key and use it to encrypt/decrypt sensitive fields in our database.

From #8192:

The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by daviddavis over 3 years ago

Blocks Story #8192: Add code to pulpcore that uses the db key to encrypt fields added

Actions

Copy link

Updated by daviddavis over 3 years ago

Here's how to generate the key:

dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64

Actions

Copy link

Updated by mdepaulo@redhat.com over 3 years ago

Assignee set to mdepaulo@redhat.com

Actions

Copy link

Updated by daviddavis over 3 years ago

Blocks deleted (Story #8192: Add code to pulpcore that uses the db key to encrypt fields)

Actions

Copy link

Updated by daviddavis over 3 years ago

Parent issue set to #8192

Actions

Copy link

Updated by mdepaulo@redhat.com over 3 years ago

Needs to be done by the end of sprint 97. (per daviddavis)

Actions

Copy link

Updated by rchan over 3 years ago

Sprint changed from Sprint 96 to Sprint 97

Actions

Copy link

Updated by daviddavis over 3 years ago

Status changed from NEW to ASSIGNED

Actions

Copy link

Updated by rchan over 3 years ago

Sprint changed from Sprint 97 to Sprint 98

Actions

Copy link

#10

Updated by pulpbot over 3 years ago

Status changed from ASSIGNED to POST

PR: https://github.com/pulp/pulp_installer/pull/645

Added by Mike DePaulo over 3 years ago

Revision f196208b | View on GitHub

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Added by Mike DePaulo over 3 years ago

Revision f196208b | View on GitHub

Create or import a key for pulp-api to use when

encrypting sensitive db fields.

Introduces new variables pulp_db_fields_key & pulp_db_fields_key_remote.

fixes: #8704 Create a key for pulp to use when encrypting sensitive db fields https://pulp.plan.io/issues/8704

Actions

Copy link

#11

Updated by daviddavis over 3 years ago

Subject changed from Create a key for pulp to use when encrypting sensitive db fields to Installer: create a key for pulp to use when encrypting sensitive db fields

Actions

Copy link

#12

Updated by Anonymous over 3 years ago

Status changed from POST to MODIFIED
% Done changed from 0 to 100

Applied in changeset ansible-pulp|f196208b282b702fcebc00d84d048a6ea59126ae.

Added by daviddavis over 3 years ago

Revision 9a7291f9 | View on GitHub

Use openssl to generate db key

ref #8704

Added by daviddavis over 3 years ago

Revision 9a7291f9 | View on GitHub

Use openssl to generate db key

ref #8704

Actions

Copy link

#13

Updated by pulpbot over 3 years ago

PR: https://github.com/pulp/pulp_installer/pull/652

Actions

Copy link

#14

Updated by bmbouter over 3 years ago

Sprint/Milestone set to 3.14.0

Added by William Bradford Clark over 3 years ago

Revision b45ade85 | View on GitHub

Use url-safe base64 encoding for Fernet key

Fernet.generate_key() (from Python's cryptography.fernet module) generates 32 pseudorandom bytes in url-safe base64-encoded form, i.e. using the url-safe base64 alphabet described in https://datatracker.ietf.org/doc/html/rfc4648#section-5

This commit converts the output from the openssl command used to generate the Fernet key to the same url-safe base64 alphabet. This is technically not required as Python's urlsafe_b64decode function will translate to the url-safe alphabet when loading the key; however we might as well store the key using the same base64 alphabet which is used internally by cryptography.frenet

refs: #8704

Added by William Bradford Clark over 3 years ago

Revision b45ade85 | View on GitHub

Use url-safe base64 encoding for Fernet key

refs: #8704

Added by William Bradford Clark over 3 years ago

Revision e61d7fdc | View on GitHub

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark over 3 years ago

Revision e61d7fdc | View on GitHub

Fix typo in pulp_db_fields_key documentation

refs: #8704

Added by William Bradford Clark over 3 years ago

Revision b6e7a069 | View on GitHub

Use 0640 filemode for Fernet keyfile

refs: #8704

Added by William Bradford Clark over 3 years ago

Revision b6e7a069 | View on GitHub

Use 0640 filemode for Fernet keyfile

refs: #8704

Actions

Copy link

#15

Updated by bmbouter over 3 years ago

Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Actions

Copy link

#16

Updated by daviddavis over 3 years ago

Parent issue changed from #8192 to #8732

Actions

Send by e-mail Copy link

Also available in: Atom PDF

Project

Profile

Help

Pulp

Agile boards

Custom queries

Task #8704

Installer: create a key for pulp to use when encrypting sensitive db fields

Updated by daviddavis over 3 years ago

Updated by daviddavis over 3 years ago

Updated by mdepaulo@redhat.com over 3 years ago

Updated by daviddavis over 3 years ago

Updated by daviddavis over 3 years ago

Updated by mdepaulo@redhat.com over 3 years ago

Updated by rchan over 3 years ago

Updated by daviddavis over 3 years ago

Updated by rchan over 3 years ago

Updated by pulpbot over 3 years ago

Added by Mike DePaulo over 3 years ago

Added by Mike DePaulo over 3 years ago

Updated by daviddavis over 3 years ago

Updated by Anonymous over 3 years ago

Added by daviddavis over 3 years ago

Added by daviddavis over 3 years ago

Updated by pulpbot over 3 years ago

Updated by bmbouter over 3 years ago

Added by William Bradford Clark over 3 years ago

Added by William Bradford Clark over 3 years ago

Added by William Bradford Clark over 3 years ago

Added by William Bradford Clark over 3 years ago

Added by William Bradford Clark over 3 years ago

Added by William Bradford Clark over 3 years ago

Updated by bmbouter over 3 years ago

Updated by daviddavis over 3 years ago