From 6915624380f13591e5f22de32fbb21488d7916ef Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 17 Feb 2021 11:57:31 +0100 Subject: [PATCH] util: add EncryptDEK DecryptDEK to EncryptionKMS interface By adding these methods, a KMS can explicitly encrypt/decrypt the DEK if there is no transparent way of doing so. Hashicorp Vault encrypts the DEK when it it stored, and decrypts it when fetched. Therefor there is no need to do any encryption in this case. Signed-off-by: Niels de Vos --- internal/util/crypto.go | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/internal/util/crypto.go b/internal/util/crypto.go index bdc0e2773..65b4e424f 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -127,6 +127,17 @@ type EncryptionKMS interface { // returns DEKStoreIntegrated, otherwise you will need to configure an // alternative storage for the DEKs. requiresDEKStore() DEKStoreType + + // EncryptDEK provides a way for a KMS to encrypt a DEK. In case the + // encryption is done transparently inside the KMS service, the + // function can return an unencrypted value. + EncryptDEK(volumeID, plainDEK string) (string, error) + + // DecryptDEK provides a way for a KMS to decrypt a DEK. In case the + // encryption is done transparently inside the KMS service, the + // function does not need to do anything except return the encyptedDEK + // as it was received. + DecryptDEK(volumeID, encyptedDEK string) (string, error) } // DEKStoreType describes what DEKStore needs to be configured when using a @@ -160,7 +171,17 @@ type DEKStore interface { // configuration options. type integratedDEK struct{} -func (i integratedDEK) requiresDEKStore() DEKStoreType { return DEKStoreIntegrated } +func (i integratedDEK) requiresDEKStore() DEKStoreType { + return DEKStoreIntegrated +} + +func (i integratedDEK) EncryptDEK(volumeID, plainDEK string) (string, error) { + return plainDEK, nil +} + +func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error) { + return encyptedDEK, nil +} // GetKMS returns an instance of Key Management System. // @@ -229,7 +250,12 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error { return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) } - err = ve.dekStore.StoreDEK(volumeID, passphrase) + encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase) + if err != nil { + return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err) + } + + err = ve.dekStore.StoreDEK(volumeID, encryptedPassphrase) if err != nil { return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err) } @@ -242,7 +268,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) if err != nil { return "", err } - return passphrase, nil + + return ve.KMS.DecryptDEK(volumeID, passphrase) } // generateNewEncryptionPassphrase generates a random passphrase for encryption.