feat: encryption keys in database (#3265)

* enable overwrite of adminUser fields in defaults.yaml * create schema and table * cli: create keys * cli: create keys * read encryptionkey from db * merge v2 * file names * cleanup defaults.yaml * remove custom errors * load encryptionKeys on start * cleanup * fix merge * update system defaults * fix error message
2025-08-12 01:37:31 +00:00 · 2022-03-14 07:55:09 +01:00
parent 7899a0b851
commit 5463244376
57 changed files with 1618 additions and 471 deletions
--- a/internal/crypto/key.go
+++ b/internal/crypto/key.go
@@ -1,51 +1,49 @@
 package crypto

 import (
-	"os"
+	"crypto/rand"

 	"github.com/caos/logging"

-	"github.com/caos/zitadel/internal/config"
 	"github.com/caos/zitadel/internal/errors"
 )

-const (
-	ZitadelKeyPath = "ZITADEL_KEY_PATH"
-)
-
 type KeyConfig struct {
 	EncryptionKeyID  string
 	DecryptionKeyIDs []string
-	Path             string
 }

 type Keys map[string]string

-func ReadKeys(path string) (Keys, error) {
-	if path == "" {
-		path = os.Getenv(ZitadelKeyPath)
-		if path == "" {
-			return nil, errors.ThrowInvalidArgument(nil, "CRYPT-56lka", "no path set")
-		}
-	}
-	keys := new(Keys)
-	err := config.Read(keys, path)
-	return *keys, err
+type Key struct {
+	ID    string
+	Value string
 }

-func LoadKey(config *KeyConfig, id string) (string, error) {
-	keys, _, err := LoadKeys(config)
+func NewKey(id string) (*Key, error) {
+	randBytes := make([]byte, 32)
+	if _, err := rand.Read(randBytes); err != nil {
+		return nil, err
+	}
+	return &Key{
+		ID:    id,
+		Value: string(randBytes),
+	}, nil
+}
+
+func LoadKey(id string, keyStorage KeyStorage) (string, error) {
+	key, err := keyStorage.ReadKey(id)
 	if err != nil {
 		return "", err
 	}
-	return keys[id], nil
+	return key.Value, nil
 }

-func LoadKeys(config *KeyConfig) (map[string]string, []string, error) {
+func LoadKeys(config *KeyConfig, keyStorage KeyStorage) (map[string]string, []string, error) {
 	if config == nil {
 		return nil, nil, errors.ThrowInvalidArgument(nil, "CRYPT-dJK8s", "config must not be nil")
 	}
-	readKeys, err := ReadKeys(config.Path)
+	readKeys, err := keyStorage.ReadKeys()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -54,7 +52,7 @@ func LoadKeys(config *KeyConfig) (map[string]string, []string, error) {
 	if config.EncryptionKeyID != "" {
 		key, ok := readKeys[config.EncryptionKeyID]
 		if !ok {
-			return nil, nil, errors.ThrowInternalf(nil, "CRYPT-v2Kas", "encryption key not found")
+			return nil, nil, errors.ThrowInternalf(nil, "CRYPT-v2Kas", "encryption key %s not found", config.EncryptionKeyID)
 		}
 		keys[config.EncryptionKeyID] = key
 		ids = append(ids, config.EncryptionKeyID)
@@ -62,7 +60,7 @@ func LoadKeys(config *KeyConfig) (map[string]string, []string, error) {
 	for _, id := range config.DecryptionKeyIDs {
 		key, ok := readKeys[id]
 		if !ok {
-			logging.Log("CRYPT-s23rf").Warnf("description key %s not found", id)
+			logging.Errorf("description key %s not found", id)
 			continue
 		}
 		keys[id] = key