kms: Add GetSecret() to metadata KMS

Add GetSecret() to allow direct access to passphrases without KDF and wrapping by a DEKStore. This will be used by fscrypt, which has its own KDF and wrapping. It will allow users to take a k8s secret, for example, and use that directly as a password in fscrypt. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
2024-11-10 00:10:20 +00:00 · 2022-03-11 19:51:18 +01:00 · 2022-03-11 19:51:18 +01:00 · cb02a9beb9
commit cb02a9beb9
parent 0599089de0
4 changed files with 28 additions and 0 deletions
--- a/internal/kms/aws_metadata.go
+++ b/internal/kms/aws_metadata.go
@ -226,3 +226,7 @@ func (kms *awsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, er

 	return string(result.Plaintext), nil
 }
+
+func (kms *awsMetadataKMS) GetSecret(volumeID string) (string, error) {
+	return "", ErrGetSecretUnsupported
+}
--- a/internal/kms/keyprotect.go
+++ b/internal/kms/keyprotect.go
@ -242,3 +242,7 @@ func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err

 	return string(result), nil
 }
+
+func (kms *keyProtectKMS) GetSecret(volumeID string) (string, error) {
+	return "", ErrGetSecretUnsupported
+}
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@ -19,6 +19,7 @@ package kms
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"

@ -53,6 +54,11 @@ const (
 	DefaultKMSType = "default"
 )

+var (
+	ErrGetSecretUnsupported = errors.New("KMS does not support access to user provided secret")
+	ErrGetSecretIntegrated  = errors.New("integrated DEK stores do not allow GetSecret")
+)
+
 // GetKMS returns an instance of Key Management System.
 //
 // - tenant is the owner of the Volume, used to fetch the Vault Token from the
@ -332,6 +338,11 @@ type EncryptionKMS interface {
 	// function does not need to do anything except return the encyptedDEK
 	// as it was received.
 	DecryptDEK(volumeID, encyptedDEK string) (string, error)
+
+	// GetSecret allows external key management systems to
+	// retrieve keys used in EncryptDEK / DecryptDEK to use them
+	// directly. Example: fscrypt uses this to unlock raw protectors
+	GetSecret(volumeID string) (string, error)
 }

 // DEKStoreType describes what DEKStore needs to be configured when using a
@ -377,6 +388,10 @@ func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error)
 	return encyptedDEK, nil
 }

+func (i integratedDEK) GetSecret(volumeID string) (string, error) {
+	return "", ErrGetSecretIntegrated
+}
+
 // getKeys takes a map that uses strings for keys and returns a slice with the
 // keys.
 func getKeys(m map[string]interface{}) []string {
--- a/internal/kms/secretskms.go
+++ b/internal/kms/secretskms.go
@ -263,6 +263,11 @@ func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string,
 	return string(dek), nil
 }

+func (kms secretsMetadataKMS) GetSecret(volumeID string) (string, error) {
+	// use the passphrase from the secretKMS
+	return kms.secretsKMS.FetchDEK(volumeID)
+}
+
 // generateCipher returns a AEAD cipher based on a passphrase and salt
 // (volumeID). The cipher can then be used to encrypt/decrypt the DEK.
 func generateCipher(passphrase, salt string) (cipher.AEAD, error) {