fix(security): encrypt app secrets at rest with AES-256-GCM (#6)
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 8s
CI Pipeline / Clippy Lints (push) Successful in 50s
CI Pipeline / Rust Unit Tests (push) Successful in 1m8s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 8s
CI Pipeline / Clippy Lints (push) Successful in 50s
CI Pipeline / Rust Unit Tests (push) Successful in 1m8s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
Encrypt three sensitive secrets that were stored in plaintext: OIDC client_secret, SMTP smtp_password, TOTP totp_secret. AES-256-GCM via pm-core::crypto helper. New per-install key at /etc/patch-manager/keys/secret-encryption.key, separate from health-check.key for blast-radius isolation. MASKED placeholder behavior in API responses is preserved. 23 files changed, +1248 / -28. Closes #6.
This commit is contained in:
Draco-Lunaris-Echo
committed by
GitHub
GitHub
parent
e0a9037be3
commit
b9fb3427e0
44
migrations/020_encrypt_secrets_at_rest.sql
Normal file
44
migrations/020_encrypt_secrets_at_rest.sql
Normal file
@ -0,0 +1,44 @@
|
||||
-- 020_encrypt_secrets_at_rest.sql
|
||||
-- Encrypt three sensitive secrets at rest with AES-256-GCM:
|
||||
-- - oidc_config.client_secret
|
||||
-- - system_config row with key='smtp_password'
|
||||
-- - users.totp_secret
|
||||
--
|
||||
-- Hard cutover (development stage, no dual-read window):
|
||||
-- 1. ADD new BYTEA columns (idempotent)
|
||||
-- 2. Operator runs one-shot migration helper (reads old plaintext, writes to new columns)
|
||||
-- 3. DROP old TEXT columns (this migration)
|
||||
--
|
||||
-- The new key file is at /etc/patch-manager/keys/secret-encryption.key
|
||||
-- (auto-generated on first start, 0600 permissions).
|
||||
-- See tasks/secret-encryption-spec.md for the full design.
|
||||
|
||||
-- ============================================================
|
||||
-- 1. oidc_config: client_secret
|
||||
-- ============================================================
|
||||
ALTER TABLE oidc_config
|
||||
ADD COLUMN IF NOT EXISTS client_secret_encrypted BYTEA,
|
||||
ADD COLUMN IF NOT EXISTS client_secret_nonce BYTEA;
|
||||
|
||||
-- DROP old plaintext column (migration helper must have run first)
|
||||
ALTER TABLE oidc_config
|
||||
DROP COLUMN IF EXISTS client_secret;
|
||||
|
||||
-- ============================================================
|
||||
-- 2. system_config: smtp_password (key-value store)
|
||||
-- ============================================================
|
||||
-- Approach: add new keys 'smtp_password_encrypted' and 'smtp_password_nonce'
|
||||
-- (no schema change to system_config), then delete the old 'smtp_password' row.
|
||||
-- The migration helper reads the old row, encrypts, writes two new rows.
|
||||
DELETE FROM system_config WHERE key = 'smtp_password';
|
||||
|
||||
-- ============================================================
|
||||
-- 3. users: totp_secret
|
||||
-- ============================================================
|
||||
ALTER TABLE users
|
||||
ADD COLUMN IF NOT EXISTS totp_secret_encrypted BYTEA,
|
||||
ADD COLUMN IF NOT EXISTS totp_secret_nonce BYTEA;
|
||||
|
||||
-- DROP old plaintext column (migration helper must have run first)
|
||||
ALTER TABLE users
|
||||
DROP COLUMN IF EXISTS totp_secret;
|
||||
Reference in New Issue
Block a user