KMS: allow to provide the master encryption key as string

config/config.go

@@ -264,8 +264,9 @@ func Init() {
 		},
 		KMSConfig: kms.Configuration{
 			Secrets: kms.Secrets{
-				URL:           "",
+				URL:             "",
-				MasterKeyPath: "",
+				MasterKeyString: "",
+				MasterKeyPath:   "",
 			},
 		},
 		TelemetryConfig: telemetry.Conf{
@@ -1027,6 +1028,7 @@ func setViperDefaults() {
 	viper.SetDefault("http.ca_certificates", globalConf.HTTPConfig.CACertificates)
 	viper.SetDefault("http.skip_tls_verify", globalConf.HTTPConfig.SkipTLSVerify)
 	viper.SetDefault("kms.secrets.url", globalConf.KMSConfig.Secrets.URL)
+	viper.SetDefault("kms.secrets.master_key", globalConf.KMSConfig.Secrets.MasterKeyString)
 	viper.SetDefault("kms.secrets.master_key_path", globalConf.KMSConfig.Secrets.MasterKeyPath)
 	viper.SetDefault("telemetry.bind_port", globalConf.TelemetryConfig.BindPort)
 	viper.SetDefault("telemetry.bind_address", globalConf.TelemetryConfig.BindAddress)

docs/full-configuration.md

@@ -236,8 +236,9 @@ The configuration file contains the following sections:
     - `url`, string, optional. If not empty, the header will be added only if the request URL starts with the one specified here
 - **kms**, configuration for the Key Management Service, more details can be found [here](./kms.md)
   - `secrets`
-    - `url`
+    - `url`, string. Defines the URI to the KMS service. Default empty.
-    - `master_key_path`
+    - `master_key`, string. Defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`. Default empty.
+    - `master_key_path, string. Defines the absolute path to a file containing the master encryption key. Default empty.
 - **plugins**, list of external plugins. Each plugin is configured using a struct with the following fields:
   - `type`, string. Defines the plugin type. Supported types: `notifier`, `kms`.
   - `notifier_options`, struct. Defines the options for notifier plugins.

docs/kms.md

@@ -7,6 +7,7 @@ SFTPGo stores sensitive data such as Cloud account credentials or passphrases to
 The `secrets` section of the `kms` configuration allows to configure how to encrypt and decrypt sensitive data. The following configuration parameters are available:
 
 - `url` defines the URI to the KMS service
+- `master_key`, defines the master encryption key as string. If not empty, it takes precedence over `master_key_path`.
 - `master_key_path` defines the absolute path to a file containing the master encryption key. This could be, for example, a docker secrets or a file protected with filesystem level permissions.
 
 ### Local provider

kms/kms.go

@@ -78,9 +78,10 @@ type Configuration struct {
 
 // Secrets define the KMS configuration for encryption/decryption
 type Secrets struct {
-	URL           string `json:"url" mapstructure:"url"`
+	URL             string `json:"url" mapstructure:"url"`
-	MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
+	MasterKeyPath   string `json:"master_key_path" mapstructure:"master_key_path"`
-	masterKey     string
+	MasterKeyString string `json:"master_key" mapstructure:"master_key"`
+	masterKey       string
 }
 
 type registeredSecretProvider struct {
@@ -135,7 +136,10 @@ func GetSecretFromCompatString(secret string) (*Secret, error) {
 
 // Initialize configures the KMS support
 func (c *Configuration) Initialize() error {
-	if c.Secrets.MasterKeyPath != "" {
+	if c.Secrets.MasterKeyString != "" {
+		c.Secrets.masterKey = c.Secrets.MasterKeyString
+	}
+	if c.Secrets.masterKey == "" && c.Secrets.MasterKeyPath != "" {
 		mKey, err := os.ReadFile(c.Secrets.MasterKeyPath)
 		if err != nil {
 			return err

sftpgo.json

@@ -225,6 +225,7 @@
   "kms": {
     "secrets": {
       "url": "",
+      "master_key": "",
       "master_key_path": ""
     }
   },