util: add VolumeEncryption.StoreCryptoPassphrase()

The new StoreCryptoPassphrase() method makes it possible to store an
unencrypted passphrase newly encrypted in the DEKStore.

Cloning volumes will use this, as the passphrase from the original
volume will need to get copied as part of the metadata for the volume.

Signed-off-by: Niels de Vos <ndevos@redhat.com>

internal/util/crypto.go

@@ -185,13 +185,9 @@ func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error)
 	return encyptedDEK, nil
 }
 
-// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
+// StoreCryptoPassphrase takes an unencrypted passphrase, encrypts it and saves
-func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
+// it in the DEKStore.
-	passphrase, err := generateNewEncryptionPassphrase()
+func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) error {
-	if err != nil {
-		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
-	}
-
 	encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase)
 	if err != nil {
 		return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err)
@@ -204,6 +200,16 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
 	return nil
 }
 
+// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
+func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
+	passphrase, err := generateNewEncryptionPassphrase()
+	if err != nil {
+		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
+	}
+
+	return ve.StoreCryptoPassphrase(volumeID, passphrase)
+}
+
 // GetCryptoPassphrase Retrieves passphrase to encrypt volume.
 func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
 	passphrase, err := ve.dekStore.FetchDEK(volumeID)