Skip to content

feat: Add ability to specify the encryption key to use in 'generate' … #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 22, 2024
Merged

feat: Add ability to specify the encryption key to use in 'generate' … #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8b3ebdf
feat: Add ability to specify the encryption key to use in 'generate' …
bruno-blackbird Jul 22, 2024
a38877b
fix(key-change):Fix wording in generate commands output
bruno-blackbird Jul 22, 2024
be0d8a0
doc: Update doc about --key option for ene:encryption-key-manager:gen…
bruno-blackbird Jul 22, 2024
a22f065
refactor: Check the '--key' param first to display the key notice eve…
bruno-blackbird Jul 22, 2024
9f412a4
fix: replace hasOption by getOption to fix wrong displayed message
bruno-blackbird Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion Console/GenerateEncryptionKey.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
class GenerateEncryptionKey extends Command
{
public const INPUT_KEY_FORCE = 'force';
public const INPUT_KEY_KEY = 'key';
public const INPUT_KEY_KEY_SHORTCUT = 'k';

/**
* @param ChangeEncryptionKeyService $changeEncryptionKey
Expand Down Expand Up @@ -51,6 +53,12 @@ protected function configure()
null,
InputOption::VALUE_NONE,
'Whether to force this action to take effect'
),
new InputOption(
self::INPUT_KEY_KEY,
self::INPUT_KEY_KEY_SHORTCUT,
InputOption::VALUE_OPTIONAL,
'The new crypt key to use for re-encryption (32 chars). If not set, the new key will be generated'
)
];

Expand All @@ -68,6 +76,14 @@ protected function configure()
*/
protected function execute(InputInterface $input, OutputInterface $output): int
{
$newKey = null;
if ($input->getOption(self::INPUT_KEY_KEY)) {
$newKey = $input->getOption(self::INPUT_KEY_KEY);
$output->writeln('<info>The provided crypt key will be used for re-encryption.</info>');
} else {
$output->writeln('<info>A new key will be generated for re-encryption, use "--key" to specify a custom key.</info>');
}

if (!$input->getOption(self::INPUT_KEY_FORCE)) {
$output->writeln('<info>Run with --force to generate a new key. This will decrypt and reencrypt values in core_config_data and saved credit card info</info>');
return Cli::RETURN_FAILURE;
Expand All @@ -86,7 +102,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
$this->emulation->startEnvironmentEmulation(0, 'adminhtml');
$output->writeln('Generating a new encryption key using the magento core class');
$this->changeEncryptionKey->setOutput($output);
$this->changeEncryptionKey->changeEncryptionKey();
$this->changeEncryptionKey->changeEncryptionKey($newKey);
$this->emulation->stopEnvironmentEmulation();
$output->writeln('Cleaning cache');

Expand Down
9 changes: 6 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,12 @@ This is a rough list of steps that should be followed to prevent attacks with Co

This should be every merchant's **priority!** Install this module and generate a new key with:

`php bin/magento gene:encryption-key-manager:generate`
`php bin/magento gene:encryption-key-manager:generate [--key=MY_32_CHAR_CRYPT_KEY]`

This will force the JWT factory to use the newly generated key. Other areas of the application may continue to use the old keys. This step is the absolute priority and will help prevent attacks with CosmicSting.

> Use the `--key` option to manually define the new key to use during re-encryption. If no custom key is provided, a new key will be generated.

## Fully rotate your old keys

1. **Review your database** for any tables with encrypted values. Make sure your dump is `--human-readable` (magerun) or `--extended-insert=FALSE` (mysqldump) so that all values are on the same line as the `INSERT INTO`
Expand All @@ -54,8 +56,9 @@ adobe_user_profile
2. **Review functions** using `->hash(` from the encryptor class. Changing the keys will result in a different hash.
3. If you have **custom logic** to handle that, it will be something you need to work that out manually.
3. **Generate a new key** `php bin/magento gene:encryption-key-manager:generate`
1. `Magento\Catalog\Model\View\Asset\Image` will continue to use the key at the `0` index
1. `Magento\JwtUserToken\Model\SecretBasedJwksFactory` will only use the most recently generated key at the highest index
1. You can specify the new crypt key to use with `php bin/magento gene:encryption-key-manager:generate --key=MY_32_CHAR_CRYPT_KEY`
2. `Magento\Catalog\Model\View\Asset\Image` will continue to use the key at the `0` index
3. `Magento\JwtUserToken\Model\SecretBasedJwksFactory` will only use the most recently generated key at the highest index
4. **Fix missing config values** `php bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data`
1. Re-run to verify `php bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data`
4. **Fix 2FA data** `php bin/magento gene:encryption-key-manager:reencrypt-tfa-data`
Expand Down