feat: encryption keys in database (#3265)

* enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message
2025-08-11 19:07:30 +00:00 · 2022-03-14 07:55:09 +01:00
parent 7899a0b851
commit 5463244376
57 changed files with 1618 additions and 471 deletions
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -54,28 +54,33 @@ type orgFeatureChecker interface {
 	CheckOrgFeatures(ctx context.Context, orgID string, requiredFeatures ...string) error
 }

-func StartCommands(
-	es *eventstore.Eventstore,
+func StartCommands(es *eventstore.Eventstore,
 	defaults sd.SystemDefaults,
 	authZConfig authz.Config,
 	staticStore static.Storage,
 	authZRepo authz_repo.Repository,
-	keyConfig *crypto.KeyConfig,
 	webAuthN webauthn_helper.Config,
-	smtpPasswordEncAlg crypto.EncryptionAlgorithm,
-	smsHashAlg crypto.EncryptionAlgorithm,
+	idpConfigEncryption,
+	otpEncryption,
+	smtpEncryption,
+	smsEncryption,
+	domainVerificationEncryption,
+	oidcEncryption crypto.EncryptionAlgorithm,
 ) (repo *Commands, err error) {
 	repo = &Commands{
-		eventstore:         es,
-		static:             staticStore,
-		idGenerator:        id.SonyFlakeGenerator,
-		iamDomain:          defaults.Domain,
-		zitadelRoles:       authZConfig.RolePermissionMappings,
-		keySize:            defaults.KeyConfig.Size,
-		privateKeyLifetime: defaults.KeyConfig.PrivateKeyLifetime,
-		publicKeyLifetime:  defaults.KeyConfig.PublicKeyLifetime,
-		smtpPasswordCrypto: smtpPasswordEncAlg,
-		smsCrypto:          smsHashAlg,
+		eventstore:            es,
+		static:                staticStore,
+		idGenerator:           id.SonyFlakeGenerator,
+		iamDomain:             defaults.Domain,
+		zitadelRoles:          authZConfig.RolePermissionMappings,
+		keySize:               defaults.KeyConfig.Size,
+		privateKeyLifetime:    defaults.KeyConfig.PrivateKeyLifetime,
+		publicKeyLifetime:     defaults.KeyConfig.PublicKeyLifetime,
+		idpConfigSecretCrypto: idpConfigEncryption,
+		smtpPasswordCrypto:    smtpEncryption,
+		smsCrypto:             smsEncryption,
+		domainVerificationAlg: domainVerificationEncryption,
+		keyAlgorithm:          oidcEncryption,
 	}
 	iam_repo.RegisterEventMappers(repo.eventstore)
 	org.RegisterEventMappers(repo.eventstore)
@@ -85,30 +90,17 @@ func StartCommands(
 	keypair.RegisterEventMappers(repo.eventstore)
 	action.RegisterEventMappers(repo.eventstore)

-	repo.idpConfigSecretCrypto, err = crypto.NewAESCrypto(defaults.IDPConfigVerificationKey)
-	if err != nil {
-		return nil, err
-	}
-
 	repo.userPasswordAlg = crypto.NewBCrypt(defaults.SecretGenerators.PasswordSaltCost)
 	repo.machineKeySize = int(defaults.SecretGenerators.MachineKeySize)
 	repo.applicationKeySize = int(defaults.SecretGenerators.ApplicationKeySize)

-	aesOTPCrypto, err := crypto.NewAESCrypto(defaults.Multifactors.OTP.VerificationKey)
-	if err != nil {
-		return nil, err
-	}
 	repo.multifactors = domain.MultifactorConfigs{
 		OTP: domain.OTPConfig{
-			CryptoMFA: aesOTPCrypto,
+			CryptoMFA: otpEncryption,
 			Issuer:    defaults.Multifactors.OTP.Issuer,
 		},
 	}

-	repo.domainVerificationAlg, err = crypto.NewAESCrypto(defaults.DomainVerification.VerificationKey)
-	if err != nil {
-		return nil, err
-	}
 	repo.domainVerificationGenerator = crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, repo.domainVerificationAlg)
 	repo.domainVerificationValidator = http.ValidateDomain
 	web, err := webauthn_helper.StartServer(webAuthN)
@@ -117,12 +109,6 @@ func StartCommands(
 	}
 	repo.webauthn = web

-	keyAlgorithm, err := crypto.NewAESCrypto(keyConfig)
-	if err != nil {
-		return nil, err
-	}
-	repo.keyAlgorithm = keyAlgorithm
-
 	repo.tokenVerifier = authZRepo
 	return repo, nil
 }