diff --git a/config/config.go b/config/config.go index 5e2abe4f..643eb617 100644 --- a/config/config.go +++ b/config/config.go @@ -264,8 +264,9 @@ func Init() { }, KMSConfig: kms.Configuration{ Secrets: kms.Secrets{ - URL: "", - MasterKeyPath: "", + URL: "", + MasterKeyString: "", + MasterKeyPath: "", }, }, TelemetryConfig: telemetry.Conf{ @@ -1027,6 +1028,7 @@ func setViperDefaults() { viper.SetDefault("http.ca_certificates", globalConf.HTTPConfig.CACertificates) viper.SetDefault("http.skip_tls_verify", globalConf.HTTPConfig.SkipTLSVerify) viper.SetDefault("kms.secrets.url", globalConf.KMSConfig.Secrets.URL) + viper.SetDefault("kms.secrets.master_key", globalConf.KMSConfig.Secrets.MasterKeyString) viper.SetDefault("kms.secrets.master_key_path", globalConf.KMSConfig.Secrets.MasterKeyPath) viper.SetDefault("telemetry.bind_port", globalConf.TelemetryConfig.BindPort) viper.SetDefault("telemetry.bind_address", globalConf.TelemetryConfig.BindAddress) diff --git a/docs/full-configuration.md b/docs/full-configuration.md index f8f5d93b..abd13dab 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -236,8 +236,9 @@ The configuration file contains the following sections: - `url`, string, optional. If not empty, the header will be added only if the request URL starts with the one specified here - **kms**, configuration for the Key Management Service, more details can be found [here](./kms.md) - `secrets` - - `url` - - `master_key_path` + - `url`, string. Defines the URI to the KMS service. Default empty. + - `master_key`, string. Defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`. Default empty. + - `master_key_path, string. Defines the absolute path to a file containing the master encryption key. Default empty. - **plugins**, list of external plugins. Each plugin is configured using a struct with the following fields: - `type`, string. Defines the plugin type. Supported types: `notifier`, `kms`. - `notifier_options`, struct. Defines the options for notifier plugins. diff --git a/docs/kms.md b/docs/kms.md index f2c53ae8..9733689c 100644 --- a/docs/kms.md +++ b/docs/kms.md @@ -7,6 +7,7 @@ SFTPGo stores sensitive data such as Cloud account credentials or passphrases to The `secrets` section of the `kms` configuration allows to configure how to encrypt and decrypt sensitive data. The following configuration parameters are available: - `url` defines the URI to the KMS service +- `master_key`, defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`. - `master_key_path` defines the absolute path to a file containing the master encryption key. This could be, for example, a docker secrets or a file protected with filesystem level permissions. ### Local provider diff --git a/kms/kms.go b/kms/kms.go index 40d054c9..7daad444 100644 --- a/kms/kms.go +++ b/kms/kms.go @@ -78,9 +78,10 @@ type Configuration struct { // Secrets define the KMS configuration for encryption/decryption type Secrets struct { - URL string `json:"url" mapstructure:"url"` - MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"` - masterKey string + URL string `json:"url" mapstructure:"url"` + MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"` + MasterKeyString string `json:"master_key" mapstructure:"master_key"` + masterKey string } type registeredSecretProvider struct { @@ -135,7 +136,10 @@ func GetSecretFromCompatString(secret string) (*Secret, error) { // Initialize configures the KMS support func (c *Configuration) Initialize() error { - if c.Secrets.MasterKeyPath != "" { + if c.Secrets.MasterKeyString != "" { + c.Secrets.masterKey = c.Secrets.MasterKeyString + } + if c.Secrets.masterKey == "" && c.Secrets.MasterKeyPath != "" { mKey, err := os.ReadFile(c.Secrets.MasterKeyPath) if err != nil { return err diff --git a/sftpgo.json b/sftpgo.json index d18e910a..73e060cc 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -225,6 +225,7 @@ "kms": { "secrets": { "url": "", + "master_key": "", "master_key_path": "" } },