KMS: allow to provide the master encryption key as string

This commit is contained in:
Nicola Murino 2021-07-17 15:34:48 +02:00
parent 030507a2ce
commit 5a568b4077
No known key found for this signature in database
GPG key ID: 2F1FB59433D5A8CB
5 changed files with 17 additions and 8 deletions

View file

@ -264,8 +264,9 @@ func Init() {
},
KMSConfig: kms.Configuration{
Secrets: kms.Secrets{
URL: "",
MasterKeyPath: "",
URL: "",
MasterKeyString: "",
MasterKeyPath: "",
},
},
TelemetryConfig: telemetry.Conf{
@ -1027,6 +1028,7 @@ func setViperDefaults() {
viper.SetDefault("http.ca_certificates", globalConf.HTTPConfig.CACertificates)
viper.SetDefault("http.skip_tls_verify", globalConf.HTTPConfig.SkipTLSVerify)
viper.SetDefault("kms.secrets.url", globalConf.KMSConfig.Secrets.URL)
viper.SetDefault("kms.secrets.master_key", globalConf.KMSConfig.Secrets.MasterKeyString)
viper.SetDefault("kms.secrets.master_key_path", globalConf.KMSConfig.Secrets.MasterKeyPath)
viper.SetDefault("telemetry.bind_port", globalConf.TelemetryConfig.BindPort)
viper.SetDefault("telemetry.bind_address", globalConf.TelemetryConfig.BindAddress)

View file

@ -236,8 +236,9 @@ The configuration file contains the following sections:
- `url`, string, optional. If not empty, the header will be added only if the request URL starts with the one specified here
- **kms**, configuration for the Key Management Service, more details can be found [here](./kms.md)
- `secrets`
- `url`
- `master_key_path`
- `url`, string. Defines the URI to the KMS service. Default empty.
- `master_key`, string. Defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`. Default empty.
- `master_key_path, string. Defines the absolute path to a file containing the master encryption key. Default empty.
- **plugins**, list of external plugins. Each plugin is configured using a struct with the following fields:
- `type`, string. Defines the plugin type. Supported types: `notifier`, `kms`.
- `notifier_options`, struct. Defines the options for notifier plugins.

View file

@ -7,6 +7,7 @@ SFTPGo stores sensitive data such as Cloud account credentials or passphrases to
The `secrets` section of the `kms` configuration allows to configure how to encrypt and decrypt sensitive data. The following configuration parameters are available:
- `url` defines the URI to the KMS service
- `master_key`, defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`.
- `master_key_path` defines the absolute path to a file containing the master encryption key. This could be, for example, a docker secrets or a file protected with filesystem level permissions.
### Local provider

View file

@ -78,9 +78,10 @@ type Configuration struct {
// Secrets define the KMS configuration for encryption/decryption
type Secrets struct {
URL string `json:"url" mapstructure:"url"`
MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
masterKey string
URL string `json:"url" mapstructure:"url"`
MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
MasterKeyString string `json:"master_key" mapstructure:"master_key"`
masterKey string
}
type registeredSecretProvider struct {
@ -135,7 +136,10 @@ func GetSecretFromCompatString(secret string) (*Secret, error) {
// Initialize configures the KMS support
func (c *Configuration) Initialize() error {
if c.Secrets.MasterKeyPath != "" {
if c.Secrets.MasterKeyString != "" {
c.Secrets.masterKey = c.Secrets.MasterKeyString
}
if c.Secrets.masterKey == "" && c.Secrets.MasterKeyPath != "" {
mKey, err := os.ReadFile(c.Secrets.MasterKeyPath)
if err != nil {
return err

View file

@ -225,6 +225,7 @@
"kms": {
"secrets": {
"url": "",
"master_key": "",
"master_key_path": ""
}
},