util: add EncryptDEK DecryptDEK to EncryptionKMS interface

By adding these methods, a KMS can explicitly encrypt/decrypt the DEK if
there is no transparent way of doing so.

Hashicorp Vault encrypts the DEK when it it stored, and decrypts it when
fetched. Therefor there is no need to do any encryption in this case.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-17 11:57:31 +01:00 committed by mergify[bot]
parent cffec0b3f3
commit 6915624380

View File

@ -127,6 +127,17 @@ type EncryptionKMS interface {
// returns DEKStoreIntegrated, otherwise you will need to configure an // returns DEKStoreIntegrated, otherwise you will need to configure an
// alternative storage for the DEKs. // alternative storage for the DEKs.
requiresDEKStore() DEKStoreType requiresDEKStore() DEKStoreType
// EncryptDEK provides a way for a KMS to encrypt a DEK. In case the
// encryption is done transparently inside the KMS service, the
// function can return an unencrypted value.
EncryptDEK(volumeID, plainDEK string) (string, error)
// DecryptDEK provides a way for a KMS to decrypt a DEK. In case the
// encryption is done transparently inside the KMS service, the
// function does not need to do anything except return the encyptedDEK
// as it was received.
DecryptDEK(volumeID, encyptedDEK string) (string, error)
} }
// DEKStoreType describes what DEKStore needs to be configured when using a // DEKStoreType describes what DEKStore needs to be configured when using a
@ -160,7 +171,17 @@ type DEKStore interface {
// configuration options. // configuration options.
type integratedDEK struct{} type integratedDEK struct{}
func (i integratedDEK) requiresDEKStore() DEKStoreType { return DEKStoreIntegrated } func (i integratedDEK) requiresDEKStore() DEKStoreType {
return DEKStoreIntegrated
}
func (i integratedDEK) EncryptDEK(volumeID, plainDEK string) (string, error) {
return plainDEK, nil
}
func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error) {
return encyptedDEK, nil
}
// GetKMS returns an instance of Key Management System. // GetKMS returns an instance of Key Management System.
// //
@ -229,7 +250,12 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
} }
err = ve.dekStore.StoreDEK(volumeID, passphrase) encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase)
if err != nil {
return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err)
}
err = ve.dekStore.StoreDEK(volumeID, encryptedPassphrase)
if err != nil { if err != nil {
return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err) return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err)
} }
@ -242,7 +268,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error)
if err != nil { if err != nil {
return "", err return "", err
} }
return passphrase, nil
return ve.KMS.DecryptDEK(volumeID, passphrase)
} }
// generateNewEncryptionPassphrase generates a random passphrase for encryption. // generateNewEncryptionPassphrase generates a random passphrase for encryption.