mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
util: add VolumeEncryption.StoreCryptoPassphrase()
The new StoreCryptoPassphrase() method makes it possible to store an unencrypted passphrase newly encrypted in the DEKStore. Cloning volumes will use this, as the passphrase from the original volume will need to get copied as part of the metadata for the volume. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
b6aa19eea5
commit
7e6feecc25
@ -185,13 +185,9 @@ func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error)
|
|||||||
return encyptedDEK, nil
|
return encyptedDEK, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
|
// StoreCryptoPassphrase takes an unencrypted passphrase, encrypts it and saves
|
||||||
func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
|
// it in the DEKStore.
|
||||||
passphrase, err := generateNewEncryptionPassphrase()
|
func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) error {
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase)
|
encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err)
|
return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err)
|
||||||
@ -204,6 +200,16 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
|
||||||
|
func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
|
||||||
|
passphrase, err := generateNewEncryptionPassphrase()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ve.StoreCryptoPassphrase(volumeID, passphrase)
|
||||||
|
}
|
||||||
|
|
||||||
// GetCryptoPassphrase Retrieves passphrase to encrypt volume.
|
// GetCryptoPassphrase Retrieves passphrase to encrypt volume.
|
||||||
func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
|
func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
|
||||||
passphrase, err := ve.dekStore.FetchDEK(volumeID)
|
passphrase, err := ve.dekStore.FetchDEK(volumeID)
|
||||||
|
Loading…
Reference in New Issue
Block a user