diff --git a/cvmassistants/disktool/encryptedDisk.sh b/cvmassistants/disktool/encryptedDisk.sh index d2bf120..de88ede 100644 --- a/cvmassistants/disktool/encryptedDisk.sh +++ b/cvmassistants/disktool/encryptedDisk.sh @@ -6,7 +6,7 @@ # This script partitions, formats, and mounts disk devices. Supports both # encrypted (LUKS) and unencrypted disks. Environment variables control behavior: # `MOUNT_PATH` (mount point), `DISK` (device name), `KEY_TYPE` (only wrapkey supported), -# and `wrapkey` (encryption key). +# and `WRAP_KEY` (encryption key). # # Requirements: # - Must be run as root @@ -42,11 +42,11 @@ detect_or_create_partition() { fi done - log_info "Creating partition on $disk_dev with the following passed fdisk parameters: - n = new partition - p = primary partition - 1 = partition number 1 - = default start and end sectors + log_info "Creating partition on $disk_dev with the following passed fdisk parameters: + n = new partition + p = primary partition + 1 = partition number 1 + = default start and end sectors w = write changes" # Create the partition using fdisk # fdisk may return non-zero due to partition table re-read warning, but partition is created @@ -65,7 +65,7 @@ detect_or_create_partition() { # Try both possible partition naming schemes for suffix in "1" "p1"; do part_disk="${disk_dev}${suffix}" - if [[ -e "$part_disk" ]]; then + if [[ -e "$part_disk" ]]; then mappername="${mappername}${suffix}" log_info "Partition $part_disk successfully created on $disk_dev" return 0 @@ -81,7 +81,7 @@ format_and_encrypt_partition() { local key="$1" local part_dev="$2" local mapper="$3" - + echo "$key" | cryptsetup luksFormat --key-file=- "$part_dev" [[ $? -ne 0 ]] && log_fatal "Failed to format partition $part_dev in luks format" log_info "Partition $part_dev formatted successfully in luks format" @@ -93,7 +93,7 @@ format_and_encrypt_partition() { mkfs.ext4 "/dev/mapper/$mapper" [[ $? -ne 0 ]] && log_fatal "Failed to format partition /dev/mapper/$mapper in ext4 format" log_info "Partition /dev/mapper/$mapper successfully formatted in ext4 format" - + cryptsetup close "$mapper" [[ $? -ne 0 ]] && log_fatal "Failed to close partition /dev/mapper/$mapper" log_info "Partition /dev/mapper/$mapper closed successfully" @@ -104,7 +104,7 @@ format_and_encrypt_partition() { mount_device() { local device="$1" local mount_point="$2" - + mount "$device" "$mount_point" [[ $? -ne 0 ]] && log_fatal "Failed to mount $device to $mount_point" log_info "Mounted $device to $mount_point" @@ -119,7 +119,7 @@ log_info "Starting encrypted disk configuration..." [ "$KEY_TYPE" != "wrapkey" ] && log_fatal "KEY_TYPE $KEY_TYPE is not supported" log_info "Handling encrypted disk case" -[[ -z "$wrapkey" ]] && log_fatal "wrapkey is null" +[[ -z "$WRAP_KEY" ]] && log_fatal "WRAP_KEY is null" if [ ! -d "$MOUNT_PATH" ]; then log_info "Mount directory $MOUNT_PATH does not exist" @@ -137,10 +137,10 @@ device_to_mount="/dev/mapper/$mappername" [ -e "$device_to_mount" ] && log_fatal "Mapper $device_to_mount already exists" # Format and encrypt the partition (and check if it opens correctly) -format_and_encrypt_partition "$wrapkey" "$part_disk" "$mappername" +format_and_encrypt_partition "$WRAP_KEY" "$part_disk" "$mappername" # Open the encrypted device in its mapper -echo "$wrapkey" | cryptsetup open --key-file=- "$part_disk" "$mappername" +echo "$WRAP_KEY" | cryptsetup open --key-file=- "$part_disk" "$mappername" [[ $? -ne 0 ]] && log_fatal "cryptsetup open --key-file=- "$part_disk" "$mappername": failed" log_info "cryptsetup open --key-file=- "$part_disk" "$mappername": success" diff --git a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c index 3c266e6..f922334 100644 --- a/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c +++ b/cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c @@ -12,6 +12,9 @@ #define LOG_LEVEL_ERROR 3 #define LOG_LEVEL_NONE 4 +// Key length for wrap key +#define WRAP_KEY_LENGTH 32 + int app_log_level = LOG_LEVEL_INFO; // Default to INFO level #define LOG_WITH_TIMESTAMP(fmt, level, associated_level, ...) \ @@ -37,8 +40,29 @@ int app_log_level = LOG_LEVEL_INFO; // Default to INFO level #define LOG_ERROR(fmt, ...) \ LOG_WITH_TIMESTAMP(fmt, "ERROR", LOG_LEVEL_ERROR, ##__VA_ARGS__) +// ----------------------------------------------------------------------------- +// Generate a random 32-byte key (alphanumeric and special characters) +// ----------------------------------------------------------------------------- +char* generate_random_key(void) { + char* key = malloc(WRAP_KEY_LENGTH + 1); + + if (!key) { + LOG_ERROR("Memory allocation failed"); + return NULL; + } + + const char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.~"; + size_t charset_size = sizeof(charset) - 1; -char* wrap_key = ""; + // Seed the random number generator with current time to ensure different keys on each run + srand((unsigned int)time(NULL)); + + for (size_t i = 0; i < WRAP_KEY_LENGTH; i++) { + key[i] = charset[rand() % charset_size]; + } + key[WRAP_KEY_LENGTH] = '\0'; + return key; +} int push_wrapkey_to_secret_box(const char* wrapkey) { CURL* curl; @@ -54,7 +78,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) { curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "http"); - strcpy(request_buffer, "key=wrapkey&value="); + strcpy(request_buffer, "key=WRAP_KEY&value="); strcat(request_buffer, wrapkey); LOG_DEBUG("Request body is %s", request_buffer); @@ -80,7 +104,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) { int main(int argc, char** argv) { setvbuf(stdout, NULL, _IONBF, 0); - + // Command line options char* const short_options = "l:h"; struct option long_options[] = { @@ -88,7 +112,7 @@ int main(int argc, char** argv) { {"help", no_argument, NULL, 'h'}, {0, 0, 0, 0} }; - + int opt; do { opt = getopt_long(argc, argv, short_options, long_options, NULL); @@ -120,20 +144,16 @@ int main(int argc, char** argv) { exit(-1); } } while (opt != -1); - - LOG_INFO("Try to get key from local"); - wrap_key = getenv("localKey"); - if (NULL == wrap_key) { - LOG_ERROR("local-key does not config"); - return -1; - } - if (strlen(wrap_key) != 32) { - LOG_ERROR("Key size is not 32 bytes, please check"); + + + char* wrap_key = generate_random_key(); + if (wrap_key == NULL) { + LOG_ERROR("Failed to generate random wrap key"); return -1; } + LOG_INFO("Successfully generated random wrap key"); + LOG_INFO("Generated random wrap key: %s", wrap_key); - LOG_INFO("Get wrap_key successful from local"); - LOG_DEBUG("Wrapkey is %s", wrap_key); int ret = push_wrapkey_to_secret_box(wrap_key); if (ret != 0) { LOG_ERROR("Push wrapkey to secret box failed");