Skip to content

feat: key generation from key-provider-agent #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 12, 2025
Merged

feat: key generation from key-provider-agent #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b450275
feat: key generation from key-provider-agent
thewhitewizard Nov 12, 2025
62a78af
feat: switch to uppercase for key label
thewhitewizard Nov 12, 2025
65ac11b
feat: remove key injection feature
thewhitewizard Nov 12, 2025
cdf3c50
feat: read key from WRAP_KEY instead of wrapkey
thewhitewizard Nov 12, 2025
af844ba
docs: add comment explaining srand seed initialization
thewhitewizard Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions cvmassistants/disktool/encryptedDisk.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# This script partitions, formats, and mounts disk devices. Supports both
# encrypted (LUKS) and unencrypted disks. Environment variables control behavior:
# `MOUNT_PATH` (mount point), `DISK` (device name), `KEY_TYPE` (only wrapkey supported),
# and `wrapkey` (encryption key).
# and `WRAP_KEY` (encryption key).
#
# Requirements:
# - Must be run as root
Expand Down Expand Up @@ -42,11 +42,11 @@ detect_or_create_partition() {
fi
done

log_info "Creating partition on $disk_dev with the following passed fdisk parameters:
n = new partition
p = primary partition
1 = partition number 1
<Enter><Enter> = default start and end sectors
log_info "Creating partition on $disk_dev with the following passed fdisk parameters:
n = new partition
p = primary partition
1 = partition number 1
<Enter><Enter> = default start and end sectors
w = write changes"
# Create the partition using fdisk
# fdisk may return non-zero due to partition table re-read warning, but partition is created
Expand All @@ -65,7 +65,7 @@ detect_or_create_partition() {
# Try both possible partition naming schemes
for suffix in "1" "p1"; do
part_disk="${disk_dev}${suffix}"
if [[ -e "$part_disk" ]]; then
if [[ -e "$part_disk" ]]; then
mappername="${mappername}${suffix}"
log_info "Partition $part_disk successfully created on $disk_dev"
return 0
Expand All @@ -81,7 +81,7 @@ format_and_encrypt_partition() {
local key="$1"
local part_dev="$2"
local mapper="$3"

echo "$key" | cryptsetup luksFormat --key-file=- "$part_dev"
[[ $? -ne 0 ]] && log_fatal "Failed to format partition $part_dev in luks format"
log_info "Partition $part_dev formatted successfully in luks format"
Expand All @@ -93,7 +93,7 @@ format_and_encrypt_partition() {
mkfs.ext4 "/dev/mapper/$mapper"
[[ $? -ne 0 ]] && log_fatal "Failed to format partition /dev/mapper/$mapper in ext4 format"
log_info "Partition /dev/mapper/$mapper successfully formatted in ext4 format"

cryptsetup close "$mapper"
[[ $? -ne 0 ]] && log_fatal "Failed to close partition /dev/mapper/$mapper"
log_info "Partition /dev/mapper/$mapper closed successfully"
Expand All @@ -104,7 +104,7 @@ format_and_encrypt_partition() {
mount_device() {
local device="$1"
local mount_point="$2"

mount "$device" "$mount_point"
[[ $? -ne 0 ]] && log_fatal "Failed to mount $device to $mount_point"
log_info "Mounted $device to $mount_point"
Expand All @@ -119,7 +119,7 @@ log_info "Starting encrypted disk configuration..."
[ "$KEY_TYPE" != "wrapkey" ] && log_fatal "KEY_TYPE $KEY_TYPE is not supported"

log_info "Handling encrypted disk case"
[[ -z "$wrapkey" ]] && log_fatal "wrapkey is null"
[[ -z "$WRAP_KEY" ]] && log_fatal "WRAP_KEY is null"

if [ ! -d "$MOUNT_PATH" ]; then
log_info "Mount directory $MOUNT_PATH does not exist"
Expand All @@ -137,10 +137,10 @@ device_to_mount="/dev/mapper/$mappername"
[ -e "$device_to_mount" ] && log_fatal "Mapper $device_to_mount already exists"

# Format and encrypt the partition (and check if it opens correctly)
format_and_encrypt_partition "$wrapkey" "$part_disk" "$mappername"
format_and_encrypt_partition "$WRAP_KEY" "$part_disk" "$mappername"

# Open the encrypted device in its mapper
echo "$wrapkey" | cryptsetup open --key-file=- "$part_disk" "$mappername"
echo "$WRAP_KEY" | cryptsetup open --key-file=- "$part_disk" "$mappername"
[[ $? -ne 0 ]] && log_fatal "cryptsetup open --key-file=- "$part_disk" "$mappername": failed"
log_info "cryptsetup open --key-file=- "$part_disk" "$mappername": success"

Expand Down
50 changes: 35 additions & 15 deletions cvmassistants/keyprovider/key-provider-agent/src/key_provider_agent.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@
#define LOG_LEVEL_ERROR 3
#define LOG_LEVEL_NONE 4

// Key length for wrap key
#define WRAP_KEY_LENGTH 32

int app_log_level = LOG_LEVEL_INFO; // Default to INFO level

#define LOG_WITH_TIMESTAMP(fmt, level, associated_level, ...) \
Expand All @@ -37,8 +40,29 @@ int app_log_level = LOG_LEVEL_INFO; // Default to INFO level
#define LOG_ERROR(fmt, ...) \
LOG_WITH_TIMESTAMP(fmt, "ERROR", LOG_LEVEL_ERROR, ##__VA_ARGS__)

// -----------------------------------------------------------------------------
// Generate a random 32-byte key (alphanumeric and special characters)
// -----------------------------------------------------------------------------
char* generate_random_key(void) {
char* key = malloc(WRAP_KEY_LENGTH + 1);

if (!key) {
LOG_ERROR("Memory allocation failed");
return NULL;
}

const char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.~";
size_t charset_size = sizeof(charset) - 1;

char* wrap_key = "";
// Seed the random number generator with current time to ensure different keys on each run
srand((unsigned int)time(NULL));

for (size_t i = 0; i < WRAP_KEY_LENGTH; i++) {
key[i] = charset[rand() % charset_size];
}
key[WRAP_KEY_LENGTH] = '\0';
return key;
}

int push_wrapkey_to_secret_box(const char* wrapkey) {
CURL* curl;
Expand All @@ -54,7 +78,7 @@ int push_wrapkey_to_secret_box(const char* wrapkey) {
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
curl_easy_setopt(curl, CURLOPT_DEFAULT_PROTOCOL, "http");

strcpy(request_buffer, "key=wrapkey&value=");
strcpy(request_buffer, "key=WRAP_KEY&value=");
strcat(request_buffer, wrapkey);
LOG_DEBUG("Request body is %s", request_buffer);

Expand All @@ -80,15 +104,15 @@ int push_wrapkey_to_secret_box(const char* wrapkey) {

int main(int argc, char** argv) {
setvbuf(stdout, NULL, _IONBF, 0);

// Command line options
char* const short_options = "l:h";
struct option long_options[] = {
{"log-level", required_argument, NULL, 'l'},
{"help", no_argument, NULL, 'h'},
{0, 0, 0, 0}
};

int opt;
do {
opt = getopt_long(argc, argv, short_options, long_options, NULL);
Expand Down Expand Up @@ -120,20 +144,16 @@ int main(int argc, char** argv) {
exit(-1);
}
} while (opt != -1);

LOG_INFO("Try to get key from local");
wrap_key = getenv("localKey");
if (NULL == wrap_key) {
LOG_ERROR("local-key does not config");
return -1;
}
if (strlen(wrap_key) != 32) {
LOG_ERROR("Key size is not 32 bytes, please check");


char* wrap_key = generate_random_key();
if (wrap_key == NULL) {
LOG_ERROR("Failed to generate random wrap key");
return -1;
}
LOG_INFO("Successfully generated random wrap key");
LOG_INFO("Generated random wrap key: %s", wrap_key);

LOG_INFO("Get wrap_key successful from local");
LOG_DEBUG("Wrapkey is %s", wrap_key);
int ret = push_wrapkey_to_secret_box(wrap_key);
if (ret != 0) {
LOG_ERROR("Push wrapkey to secret box failed");
Expand Down