mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
util: Make encryption passphrase size a parameter
fscrypt support requires keys longer than 20 bytes. As a preparation, make the new passphrase length configurable, but default to 20 bytes. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
parent
69eb6e40dc
commit
fe4821435e
@ -61,6 +61,8 @@ const (
|
||||
// DEK is stored.
|
||||
metadataDEK = "rbd.csi.ceph.com/dek"
|
||||
oldMetadataDEK = ".rbd.csi.ceph.com/dek"
|
||||
|
||||
encryptionPassphraseSize = 20
|
||||
)
|
||||
|
||||
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
|
||||
@ -100,7 +102,7 @@ func (ri *rbdImage) isEncrypted() bool {
|
||||
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
|
||||
// - the RBD image will be marked to support encryption in its metadata.
|
||||
func (ri *rbdImage) setupEncryption(ctx context.Context) error {
|
||||
err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID)
|
||||
err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID, encryptionPassphraseSize)
|
||||
if err != nil {
|
||||
log.ErrorLog(ctx, "failed to save encryption passphrase for "+
|
||||
"image %s: %s", ri, err)
|
||||
|
@ -36,7 +36,7 @@ const (
|
||||
|
||||
// Passphrase size - 20 bytes is 160 bits to satisfy:
|
||||
// https://tools.ietf.org/html/rfc6749#section-10.10
|
||||
encryptionPassphraseSize = 20
|
||||
defaultEncryptionPassphraseSize = 20
|
||||
)
|
||||
|
||||
var (
|
||||
@ -156,8 +156,8 @@ func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) e
|
||||
}
|
||||
|
||||
// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
|
||||
func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
|
||||
passphrase, err := generateNewEncryptionPassphrase()
|
||||
func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string, length int) error {
|
||||
passphrase, err := generateNewEncryptionPassphrase(length)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
|
||||
}
|
||||
@ -176,8 +176,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error)
|
||||
}
|
||||
|
||||
// generateNewEncryptionPassphrase generates a random passphrase for encryption.
|
||||
func generateNewEncryptionPassphrase() (string, error) {
|
||||
bytesPassphrase := make([]byte, encryptionPassphraseSize)
|
||||
func generateNewEncryptionPassphrase(length int) (string, error) {
|
||||
bytesPassphrase := make([]byte, length)
|
||||
_, err := rand.Read(bytesPassphrase)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
@ -28,14 +28,14 @@ import (
|
||||
|
||||
func TestGenerateNewEncryptionPassphrase(t *testing.T) {
|
||||
t.Parallel()
|
||||
b64Passphrase, err := generateNewEncryptionPassphrase()
|
||||
b64Passphrase, err := generateNewEncryptionPassphrase(defaultEncryptionPassphraseSize)
|
||||
require.NoError(t, err)
|
||||
|
||||
// b64Passphrase is URL-encoded, decode to verify the length of the
|
||||
// passphrase
|
||||
passphrase, err := base64.URLEncoding.DecodeString(b64Passphrase)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, encryptionPassphraseSize, len(passphrase))
|
||||
assert.Equal(t, defaultEncryptionPassphraseSize, len(passphrase))
|
||||
}
|
||||
|
||||
func TestKMSWorkflow(t *testing.T) {
|
||||
@ -56,7 +56,7 @@ func TestKMSWorkflow(t *testing.T) {
|
||||
|
||||
volumeID := "volume-id"
|
||||
|
||||
err = ve.StoreNewCryptoPassphrase(volumeID)
|
||||
err = ve.StoreNewCryptoPassphrase(volumeID, defaultEncryptionPassphraseSize)
|
||||
assert.NoError(t, err)
|
||||
|
||||
passphrase, err := ve.GetCryptoPassphrase(volumeID)
|
||||
|
Loading…
Reference in New Issue
Block a user