Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to import an encrypted backup #48

Closed
sebPomme opened this issue May 4, 2021 · 7 comments
Closed

Unable to import an encrypted backup #48

sebPomme opened this issue May 4, 2021 · 7 comments
Assignees
@jonasvinther

Comments

@sebPomme
Copy link

sebPomme commented May 4, 2021

Hello, I just follow the README.md, and I can't re-import the data.

pomme@shark medusa % openssl version
OpenSSL 1.1.1k  25 Mar 2021
pomme@shark medusa % openssl genrsa -out private-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................++++
..........................................................................++++
e is 65537 (0x010001)
pomme@shark medusa % openssl rsa -in private-key.pem -pubout -out public-key.pem
writing RSA key
pomme@shark medusa % ./bin/medusa export kv-certificates_backup --token="$(vault print token)" --encrypt true --public-key="public-key.pem" --output="encrypted-vault-secrets.txt"
pomme@shark medusa % file encrypted-vault-secrets.txt 
encrypted-vault-secrets.txt: ASCII text, with very long lines (65536), with no line terminators
pomme@shark medusa % ./bin/medusa import kv-temporaire encrypted-vault-secrets.txt --token="$(vault print token)" --decrypt="true" --private-key="private-key.pem"
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
medusa/pkg/encrypt.Decrypt(0x7ffeeea13e06, 0xf, 0x7ffeeea13daa, 0x1b, 0xc000126c3b, 0x1, 0x0, 0xc000187bd0)
        /home/runner/work/medusa/medusa/pkg/encrypt/encrypt.go:46 +0x41d
medusa/cmd.glob..func3(0xcdce00, 0xc000100a50, 0x2, 0x5, 0x0, 0x0)
        /home/runner/work/medusa/medusa/cmd/import.go:45 +0x38f
github.com/spf13/cobra.(*Command).execute(0xcdce00, 0xc000100a00, 0x5, 0x5, 0xcdce00, 0xc000100a00)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:850 +0x47c
github.com/spf13/cobra.(*Command).ExecuteC(0xcdc8c0, 0xc000052778, 0xc000187f78, 0x4062c5)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
medusa/cmd.Execute(...)
        /home/runner/work/medusa/medusa/cmd/cmd.go:50
main.main()
        /home/runner/work/medusa/medusa/main.go:10 +0x32

I use medusa v0.2.2 .

I can figure what I m doing wrong, do you have an idea ?

Seb 🍎
@jonasvinther jonasvinther self-assigned this May 4, 2021
@jonasvinther
Copy link
Owner

Hi @sebPomme ,
Thanks for reaching out!

First of all can you verify that the export and import is working when exporting using plain text?

Next I see that it's failing when it's trying to read line 1 in your export file encrypted-vault-secrets.txt. If you open the file in a text editor you should see that the file contains only two lines. Becuase it look's like it cannot read the first line of the file.
Can you maybe try with another dataset?

@sebPomme
Copy link
Author

sebPomme commented May 4, 2021

Hi,

Thanks for this reply,
first the test without encryption:

pomme@shark medusa % ./bin/medusa export kv-certificates_backup --token="$(vault print token)" --output="vault-secrets.txt"
pomme@shark medusa % wc -l vault-secrets.txt 
68632 vault-secrets.txt
pomme@shark medusa % ./bin/medusa import kv-temporaire vault-secrets.txt --token="$(vault print token)"
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/one]
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/two]
.....
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/68632]
pomme@shark medusa % echo $?
0

I created a new dataset and test with it.

pomme@shark medusa % ./bin/medusa export github_issue --token="$(vault print token)" --encrypt true --public-key="public-key.pem" --output="encrypted-vault-secrets.txt"
pomme@shark medusa % wc -l encrypted-vault-secrets.txt 
2 encrypted-vault-secrets.txt
pomme@shark medusa % ./bin/medusa import kv-temporaire encrypted-vault-secrets.txt --token="$(vault print token)" --decrypt="true" --private-key="private-key.pem"
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/*three]
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/3]
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/one]
Secret successfully written to Vault [https://vault.exemple.org:443] using path [/two]
pomme@shark medusa % vault kv get kv-temporaire/"*three"                                  
====== Metadata ======
Key              Value
---              -----
created_time     2021-05-04T18:59:38.263007969Z
deletion_time    n/a
destroyed        false
version          1

==== Data ====
Key      Value
---      -----
18759    18759

Is this help ?

@jonasvinther
Copy link
Owner

Thank you for providing more information.
So the first test with no encryption and the same datasets went well. I see that your export is 68632 lines long? I must admit that I haven't tested Medusa with such a large dataset. I appreciate your help in order to debug this error. Maybe I need to create a very large dataset to test with.

Does the exported file also contains exact two lines when you do the encrypted export of the kv-certificates_backup dataset?

@sebPomme
Copy link
Author

sebPomme commented May 4, 2021

I wrote 68632 for anonymise my key names this is not the number of secrets.

Actually I have 544 secret in kv-certificates_backup.
Each secret have nearly this form:

{                                                                                                                                 
  "*.domain.name": {
    "cert": "-----BEGIN CERTIFICATE-----\n.........",
    "chain": "\n-----BEGIN CERTIFICATE-----\n.......",
    "fullchain": "-----BEGIN CERTIFICATE-----\n.......",
    "key": "-----BEGIN RSA KEY-----\n........",
    "owner": "software-name",
    "timestamp": ""
  }
}

And yeah, with the encrypted export the file have only 2 lines.

pomme@requin medusa % ./bin/medusa export kv-certificates_backup --token="$(vault print token)" --encrypt true --public-key="public-key.pem" --output="encrypted-vault-secrets.txt" 
pomme@requin medusa % wc -l encrypted-vault-secrets.txt
2 encrypted-vault-secrets.txt

@sebPomme
Copy link
Author

sebPomme commented May 5, 2021

I don't know if it can help, but I just try something:

pomme@requin medusa % ./bin/medusa export kv-certificates_backup --token="$(vault print token)" | openssl rsautl -encrypt -oaep -pubin -inkey public-key.pem -in - -out encrypted-vault-secrets.openssl
RSA operation error
139845753628480:error:0409A06E:rsa routines:RSA_padding_add_PKCS1_OAEP_mgf1:data too large for key size:crypto/rsa/rsa_oaep.c:61:

But it's works with a light-way volume:

pomme@requin medusa % ./bin/medusa export github_issue --token="$(vault print token)" | openssl rsautl -encrypt -oaep -pubin -inkey public-key.pem -in - -out encrypted-vault-secrets.openssl
pomme@requin medusa % openssl rsautl -decrypt -oaep -inkey private-key.pem -in encrypted-vault-secrets.openssl 
'*three':
  "18759": "18759"
"3":
  "18759": "18759"
one:
  data: for
  debug: purposes
  some: random
two:
  "18759": "18759"

@jonasvinther
Copy link
Owner

I'm closing this one since I haven't been able to reproduce. I think that you have some special data some where in your Vault that Medusa is not able to handle. Feel free to re-open if you have any additional information that can help me reproduce this error.

@mateustanaka
Copy link

I'm facing the same issue with medusa v0.3.1

$ ./medusa import kv encrypted-vault-secrets.txt --address="http://127.0.0.1:8200" --token="xxxxxxxxxxx" --decrypt="true" --private-key="private-key.pem"
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/jonasvinther/medusa/pkg/encrypt.Decrypt(0x7ffe151c6c79, 0xf, 0x7ffe151c6bfd, 0x1b, 0xc0000b905b, 0x1, 0x0, 0xb)
/home/runner/work/medusa/medusa/pkg/encrypt/encrypt.go:46 +0x41d
github.com/jonasvinther/medusa/cmd.glob..func4(0xd37840, 0xc0000bede0, 0x2, 0x6, 0x0, 0x0)
/home/runner/work/medusa/medusa/cmd/import.go:46 +0x3fa
github.com/spf13/cobra.(*Command).execute(0xd37840, 0xc0000bed80, 0x6, 0x6, 0xd37840, 0xc0000bed80)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:850 +0x47c
github.com/spf13/cobra.(*Command).ExecuteC(0xd37060, 0xc00003a778, 0xc00010ff78, 0x4062c5)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
github.com/jonasvinther/medusa/cmd.Execute(...)
/home/runner/work/medusa/medusa/cmd/cmd.go:59
main.main()
/home/runner/work/medusa/medusa/main.go:10 +0x32

$ wc -l encrypted-vault-secrets.txt 
2 encrypted-vault-secrets.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonasvinther jonasvinther

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sebPomme @jonasvinther @mateustanaka