From 7e6feecc25f2edd408495b168b64a539f6d52119 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Fri, 12 Mar 2021 15:06:27 +0100 Subject: [PATCH] util: add VolumeEncryption.StoreCryptoPassphrase() The new StoreCryptoPassphrase() method makes it possible to store an unencrypted passphrase newly encrypted in the DEKStore. Cloning volumes will use this, as the passphrase from the original volume will need to get copied as part of the metadata for the volume. Signed-off-by: Niels de Vos --- internal/util/crypto.go | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/internal/util/crypto.go b/internal/util/crypto.go index 452cb1494..83adc354d 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -185,13 +185,9 @@ func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error) return encyptedDEK, nil } -// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS. -func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error { - passphrase, err := generateNewEncryptionPassphrase() - if err != nil { - return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) - } - +// StoreCryptoPassphrase takes an unencrypted passphrase, encrypts it and saves +// it in the DEKStore. +func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) error { encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase) if err != nil { return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err) @@ -204,6 +200,16 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error { return nil } +// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS. +func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error { + passphrase, err := generateNewEncryptionPassphrase() + if err != nil { + return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) + } + + return ve.StoreCryptoPassphrase(volumeID, passphrase) +} + // GetCryptoPassphrase Retrieves passphrase to encrypt volume. func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) { passphrase, err := ve.dekStore.FetchDEK(volumeID)