feat: encryption keys in database (#3265)

* enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message
2025-08-12 05:17:33 +00:00 · 2022-03-14 07:55:09 +01:00
parent 7899a0b851
commit 5463244376
57 changed files with 1618 additions and 471 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -20,13 +20,19 @@ Database:
    Username: zitadel
    Password: ""
    SSL:
-      Mode: diabled
+      Mode: disable
      RootCert: ""
      Cert: ""
      Key: ""

 AdminUser:
  Username: root
+  Password: ""
+  SSL:
+    Mode: disable
+    RootCert: ""
+    Cert: ""
+    Key: ""

 Projections:
  Config:
@@ -38,10 +44,6 @@ Projections:
    Customizations:
      projects:
        BulkLimit: 2000
-  KeyConfig:
-    # We don't need an EncryptionKey but DecryptionKeys (and load them via env)
-    DecryptionKeyIDs:
-    Path: ""

 AuthZ:
  Repository:
@@ -66,8 +68,6 @@ Admin:

 UserAgentCookie:
  Name: zitadel.useragent
-  Key:
-    EncryptionKeyID:
  MaxAge: 8760h #365*24h (1 year)

 OIDC:
@@ -84,19 +84,11 @@ OIDC:
  Cache:
    MaxAge: 12h
    SharedMaxAge: 168h #7d
-  KeyConfig:
-    EncryptionKeyID: ""
-    DecryptionKeyIDs:
-    Path: ""
  CustomEndpoints:

 Login:
  LanguageCookieName: zitadel.login.lang
-  CSRF:
-    CookieName: zitadel.login.csrf
-    Development: true
-    Key:
-      EncryptionKeyID:
+  CSRFCookieName: zitadel.login.csrf
  Cache:
    MaxAge: 12h
    SharedMaxAge: 168h #7d
@@ -118,6 +110,31 @@ Notification:
      FailureCountUntilSkip: 5
      Handlers:

+EncryptionKeys:
+  DomainVerification:
+    EncryptionKeyID: "domainVerificationKey"
+    DecryptionKeyIDs:
+  IDPConfig:
+    EncryptionKeyID: "idpConfigKey"
+    DecryptionKeyIDs:
+  OIDC:
+    EncryptionKeyID: "oidcKey"
+    DecryptionKeyIDs:
+  OTP:
+    EncryptionKeyID: "otpKey"
+    DecryptionKeyIDs:
+  SMS:
+    EncryptionKeyID: "smsKey"
+    DecryptionKeyIDs:
+  SMTP:
+    EncryptionKeyID: "smtpKey"
+    DecryptionKeyIDs:
+  User:
+    EncryptionKeyID: "userKey"
+    DecryptionKeyIDs:
+  CSRFCookieKeyID: "csrfCookieKey"
+  UserAgentCookieKeyID: "userAgentCookieKey"
+
 #TODO: configure as soon as possible
 #AssetStorage:
 #  Type: $ZITADEL_ASSET_STORAGE_TYPE
@@ -137,73 +154,14 @@ SystemDefaults:
  ZitadelDocs:
    Issuer: $ZITADEL_ISSUER
    DiscoveryEndpoint: '$ZITADEL_ISSUER/.well-known/openid-configuration'
-  UserVerificationKey:
-    EncryptionKeyID: $ZITADEL_USER_VERIFICATION_KEY
-  IDPConfigVerificationKey:
-    EncryptionKeyID: $ZITADEL_IDP_CONFIG_VERIFICATION_KEY
-  SMTPPasswordVerificationKey:
-    EncryptionKeyID: $ZITADEL_SMTP_PASSWORD_VERIFICATION_KEY
-  SMSVerificationKey:
-    EncryptionKeyID: $ZITADEL_SMS_VERIFICATION_KEY
  SecretGenerators:
    PasswordSaltCost: 14
-    ClientSecretGenerator:
-      Length: 64
-      IncludeLowerLetters: true
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
-    InitializeUserCode:
-      Length: 6
-      Expiry: '72h'
-      IncludeLowerLetters: false
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
-    EmailVerificationCode:
-      Length: 6
-      Expiry: '1h'
-      IncludeLowerLetters: false
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
-    PhoneVerificationCode:
-      Length: 6
-      Expiry: '1h'
-      IncludeLowerLetters: false
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
-    PasswordVerificationCode:
-      Length: 6
-      Expiry: '1h'
-      IncludeLowerLetters: false
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
-    PasswordlessInitCode:
-      Length: 12
-      Expiry: '1h'
-      IncludeLowerLetters: true
-      IncludeUpperLetters: true
-      IncludeDigits: true
-      IncludeSymbols: false
    MachineKeySize: 2048
    ApplicationKeySize: 2048
  Multifactors:
    OTP:
      Issuer: 'ZITADEL'
-      VerificationKey:
-        EncryptionKeyID: $ZITADEL_OTP_VERIFICATION_KEY
-  VerificationLifetimes:
-    PasswordCheck: 240h #10d
-    ExternalLoginCheck: 240h #10d
-    MFAInitSkip: 720h #30d
-    SecondFactorCheck: 18h
-    MultiFactorCheck: 12h
  DomainVerification:
-    VerificationKey:
-      EncryptionKeyID: $ZITADEL_DOMAIN_VERIFICATION_KEY
    VerificationGenerator:
      Length: 32
      IncludeLowerLetters: true
@@ -211,38 +169,13 @@ SystemDefaults:
      IncludeDigits: true
      IncludeSymbols: false
  Notifications:
-    #    DebugMode: $DEBUG_MODE
    Endpoints:
      InitCode: '$ZITADEL_ACCOUNTS/user/init?userID={{.UserID}}&code={{.Code}}&passwordset={{.PasswordSet}}'
      PasswordReset: '$ZITADEL_ACCOUNTS/password/init?userID={{.UserID}}&code={{.Code}}'
      VerifyEmail: '$ZITADEL_ACCOUNTS/mail/verification?userID={{.UserID}}&code={{.Code}}'
      DomainClaimed: '$ZITADEL_ACCOUNTS/login'
      PasswordlessRegistration: '$ZITADEL_ACCOUNTS/login/passwordless/init'
-    Providers:
-      Email:
-        SMTP:
-          Host: $SMTP_HOST
-          User: $SMTP_USER
-          Password: $SMTP_PASSWORD
-        From: $EMAIL_SENDER_ADDRESS
-        FromName: $EMAIL_SENDER_NAME
-      #        Tls: $SMTP_TLS
-      Twilio:
-        SID: $TWILIO_SERVICE_SID
-        Token: $TWILIO_TOKEN
-        From: $TWILIO_SENDER_NAME
-      FileSystem:
-        #        Enabled: $FS_NOTIFICATIONS_ENABLED
-        Path: $FS_NOTIFICATIONS_PATH
-      #        Compact: $FS_NOTIFICATIONS_COMPACT
-      Log:
-      #        Enabled: $LOG_NOTIFICATIONS_ENABLED
-      #        Compact: $LOG_NOTIFICATIONS_COMPACT
-      Chat:
-        #        Enabled: $CHAT_ENABLED
-        Url: $CHAT_URL
-        #        Compact: $CHAT_COMPACT
-        SplitCount: 4000
+    FileSystemPath: '.notifications/'
  KeyConfig:
    Size: 2048
    PrivateKeyLifetime: 6h