Add Secrets Database #1309
Add Secrets Database #1309
Conversation
* provide Init functions to initialize a DB with a particular type * add methods to assert a DB is a particular type which can be used in constructors of storage modules which require a particular type
require --secretsdir flag
jordanschalm
changed the title
jordanschalm
requested review from
AlexHentschel,
vishalchangrani and
zhangchiqing
as code owners
jordanschalm
requested review from
huitseeker and
synzhu
and removed request for
vishalchangrani
jordanschalm
requested review from
vishalchangrani,
synzhu and
peterargue
and removed request for
AlexHentschel
cmd/scaffold.go
Outdated
| func loadSecretsEncryptionKey(dir string, myID flow.Identifier) ([]byte, error) { | ||
| data, err := io.ReadFile(filepath.Join(dir, fmt.Sprintf(bootstrap.PathSecretsEncryptionKey, myID))) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("could not read key: %w", err) |
| err := os.MkdirAll(fnb.BaseConfig.secretsdir, 0700) | ||
| fnb.MustNot(err).Str("dir", fnb.BaseConfig.secretsdir).Msg("could not create secrets db dir") |
There was a problem hiding this comment.
If the directory already exists, would running the second time still work?
There was a problem hiding this comment.
It will - we do the same for the existing database
Line 437 in 27802a0
| // attempt to read an encryption key for the secrets DB from the canonical path | ||
| encryptionKey, err := loadSecretsEncryptionKey(fnb.BootstrapDir, fnb.NodeID) | ||
| if errors.Is(err, os.ErrNotExist) { | ||
| fnb.Logger.Warn().Msg("starting with secrets database encryption disabled") |
There was a problem hiding this comment.
Why not crashing? shouldn't secret encryption key always exist?
There was a problem hiding this comment.
Because creating the encryption key requires an operator action (see #1340 and onflow/flow#641), the plan is to not make it a hard requirement initially (discussion here)
There was a problem hiding this comment.
OK, better to add a TODO for reminding us to remove it in next spork or something
There was a problem hiding this comment.
There was a problem hiding this comment.
will add key derivation suggestions there
cmd/consensus/main.go
Outdated
| var flowClient *client.Client | ||
| if insecureAccessAPI { | ||
| flowClient, err = common.InsecureFlowClient(accessAddress) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
not sure if these change have anything to do with Secrets database
There was a problem hiding this comment.
You're right, this is duplicating the setup that is already implemented here: https://github.com/onflow/flow-go/pull/1309/files#diff-7d960671cc56ce82783f5366bad31f7108cf00270c1bb39b0e00fa57ca96334dR354-R383. Not sure how that happened, thanks for catching
| func NewDKGKeys(collector module.CacheMetrics, db *badger.DB) *DKGKeys { | ||
| func NewDKGKeys(collector module.CacheMetrics, db *badger.DB) (*DKGKeys, error) { | ||
|
|
||
| err := operation.EnsureSecretDB(db) |
There was a problem hiding this comment.
Can't find my comment. Sorry if I asked this question again:
Can we let EnsureSecretDB check whether the encryption key is correct? Seems if the encryption key is incorrect, the db can still be initialized, and won't learn it's wrong until there is an query.
There was a problem hiding this comment.
The database will fail to open if the encryption key isn't correct. Going to add a test case that validates this.
There was a problem hiding this comment.
Added a test here: aab5d8e
Codecov Report
@@ Coverage Diff @@
## master #1309 +/- ##
==========================================
- Coverage 56.25% 55.24% -1.02%
==========================================
Files 500 506 +6
Lines 31162 31798 +636
==========================================
+ Hits 17531 17567 +36
- Misses 11262 11856 +594
- Partials 2369 2375 +6
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
LGTM, under heavy caveats that we discussed offline and that I'll re-state here for completeness:
- since the DKG secrets can lead to consensus votes (in consensus v2),
- those secrets being read by an out-of-process intruder on the node operator's machine can lead to a compromise of chain safety,
- hence the DKG secrets DB being left unencrypted is unsafe (though perhaps just as bad as we deal with staking key persistence and custody)
- so this should only be released in mainnet after a documentation PR that outlines all on-disk locations that the operator should secure with spectacular clarity,
- this doc pr should let operators use infra / sre means to secure those storage locations using one of the myriad of solutions available (some FUSE-based overlay encryption, Docker, K8s, GCP secrets, etc ...)
| // attempt to read an encryption key for the secrets DB from the canonical path | ||
| encryptionKey, err := loadSecretsEncryptionKey(fnb.BootstrapDir, fnb.NodeID) | ||
| if errors.Is(err, os.ErrNotExist) { | ||
| fnb.Logger.Warn().Msg("starting with secrets database encryption disabled") |
There was a problem hiding this comment.
will add key derivation suggestions there
|
bors merge |
This PR creates a separate database for confidential data. It implements part of the Identity-Agnostic Database Structure proposal.
Changes
systemdfiles