New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificates encrypted with static IV per key #117
Comments
|
Also reported upstream: kvesteri/sqlalchemy-utils#166 |
|
I think a reasonable fix would be either using the |
|
Makes sense, is simply passing Ditching sqlalchemy_utils may be a good idea, I have to see if I use it for anything else. Do you want to take a stab at creating a If we do end up re-writing it, |
|
Yeah, I'll work on making a |
|
We have a few options for taking the user's key and passing it to Fernet:
I prefer the first option, but it does sacrifice some convenience, so I don't want to make assumptions about your priorities. @kevgliss Do you have any thoughts? |
|
@rpicard I prefer the first option as well, this this is the approach I take when generating configuration files for the user. https://github.com/Netflix/lemur/blob/master/lemur/manage.py#L167 And also for the "lock" and "unlock" functions that is also using fernet. https://github.com/Netflix/lemur/blob/master/lemur/manage.py#L419 |
|
Perfect. |
|
Is this https://github.com/Netflix/lemur/blob/master/lemur/utils.py#L19 |
|
Correct, it is an unfortunate hack, flask-script needs a flask app object. I use flask-script to run Ideally flask-script wouldn't need current_app to function. I looked at http://click.pocoo.org/5/ which doesn't need an app object, but I wasn't sold on the decorator soup it tends to lean on. |
|
Okay, that explains the problem I had. Like you said, it's an unfortunate hack, but I can live with it. |
Facilitates key rotation and uses more secure encryption than what sqlalchemy-utils does. Fixes Netflix#117 and Netflix#119.
|
I've been running in Docker, but I'm trying to debug some things and to do so, I want to just run on my machine normally. I'm now getting this error when I run |
|
My bad. I missed the |
Facilitates key rotation and uses more secure encryption than what sqlalchemy-utils does. Fixes Netflix#117 and Netflix#119.
Update dev docs and fixing mac and linux differences
The IV is static per key at least. Lemur is using sqlalchemy_utils to encrypt certificates. This in turn
encrypts with AES in CBC mode.
https://github.com/kvesteri/sqlalchemy-utils/blob/master/sqlalchemy_utils/types/encrypted.py#L56
Given a single key, it will use the SHA256 hash of that key for all encryption. It looks like it will use the first 16 bytes of that hash as the IV for each operation.
The text was updated successfully, but these errors were encountered: