KMS: allow to provide the master encryption key as string
This commit is contained in:
parent
030507a2ce
commit
5a568b4077
5 changed files with 17 additions and 8 deletions
|
@ -264,8 +264,9 @@ func Init() {
|
|||
},
|
||||
KMSConfig: kms.Configuration{
|
||||
Secrets: kms.Secrets{
|
||||
URL: "",
|
||||
MasterKeyPath: "",
|
||||
URL: "",
|
||||
MasterKeyString: "",
|
||||
MasterKeyPath: "",
|
||||
},
|
||||
},
|
||||
TelemetryConfig: telemetry.Conf{
|
||||
|
@ -1027,6 +1028,7 @@ func setViperDefaults() {
|
|||
viper.SetDefault("http.ca_certificates", globalConf.HTTPConfig.CACertificates)
|
||||
viper.SetDefault("http.skip_tls_verify", globalConf.HTTPConfig.SkipTLSVerify)
|
||||
viper.SetDefault("kms.secrets.url", globalConf.KMSConfig.Secrets.URL)
|
||||
viper.SetDefault("kms.secrets.master_key", globalConf.KMSConfig.Secrets.MasterKeyString)
|
||||
viper.SetDefault("kms.secrets.master_key_path", globalConf.KMSConfig.Secrets.MasterKeyPath)
|
||||
viper.SetDefault("telemetry.bind_port", globalConf.TelemetryConfig.BindPort)
|
||||
viper.SetDefault("telemetry.bind_address", globalConf.TelemetryConfig.BindAddress)
|
||||
|
|
|
@ -236,8 +236,9 @@ The configuration file contains the following sections:
|
|||
- `url`, string, optional. If not empty, the header will be added only if the request URL starts with the one specified here
|
||||
- **kms**, configuration for the Key Management Service, more details can be found [here](./kms.md)
|
||||
- `secrets`
|
||||
- `url`
|
||||
- `master_key_path`
|
||||
- `url`, string. Defines the URI to the KMS service. Default empty.
|
||||
- `master_key`, string. Defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`. Default empty.
|
||||
- `master_key_path, string. Defines the absolute path to a file containing the master encryption key. Default empty.
|
||||
- **plugins**, list of external plugins. Each plugin is configured using a struct with the following fields:
|
||||
- `type`, string. Defines the plugin type. Supported types: `notifier`, `kms`.
|
||||
- `notifier_options`, struct. Defines the options for notifier plugins.
|
||||
|
|
|
@ -7,6 +7,7 @@ SFTPGo stores sensitive data such as Cloud account credentials or passphrases to
|
|||
The `secrets` section of the `kms` configuration allows to configure how to encrypt and decrypt sensitive data. The following configuration parameters are available:
|
||||
|
||||
- `url` defines the URI to the KMS service
|
||||
- `master_key`, defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`.
|
||||
- `master_key_path` defines the absolute path to a file containing the master encryption key. This could be, for example, a docker secrets or a file protected with filesystem level permissions.
|
||||
|
||||
### Local provider
|
||||
|
|
12
kms/kms.go
12
kms/kms.go
|
@ -78,9 +78,10 @@ type Configuration struct {
|
|||
|
||||
// Secrets define the KMS configuration for encryption/decryption
|
||||
type Secrets struct {
|
||||
URL string `json:"url" mapstructure:"url"`
|
||||
MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
|
||||
masterKey string
|
||||
URL string `json:"url" mapstructure:"url"`
|
||||
MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
|
||||
MasterKeyString string `json:"master_key" mapstructure:"master_key"`
|
||||
masterKey string
|
||||
}
|
||||
|
||||
type registeredSecretProvider struct {
|
||||
|
@ -135,7 +136,10 @@ func GetSecretFromCompatString(secret string) (*Secret, error) {
|
|||
|
||||
// Initialize configures the KMS support
|
||||
func (c *Configuration) Initialize() error {
|
||||
if c.Secrets.MasterKeyPath != "" {
|
||||
if c.Secrets.MasterKeyString != "" {
|
||||
c.Secrets.masterKey = c.Secrets.MasterKeyString
|
||||
}
|
||||
if c.Secrets.masterKey == "" && c.Secrets.MasterKeyPath != "" {
|
||||
mKey, err := os.ReadFile(c.Secrets.MasterKeyPath)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
@ -225,6 +225,7 @@
|
|||
"kms": {
|
||||
"secrets": {
|
||||
"url": "",
|
||||
"master_key": "",
|
||||
"master_key_path": ""
|
||||
}
|
||||
},
|
||||
|
|
Loading…
Reference in a new issue