Transit - drop support for pre-v0.6.2 keys #37
Labels
enhancement
New feature or request
Comments
This was referenced Jan 6, 2024
Closed
cipherboy
pushed a commit
to cipherboy/openbao
that referenced
this issue
Jan 21, 2024
Build with go 1.21.3, and update related packages. Pin github actions to the latest trusted versions, and test with k8s 1.24-1.28 and Vault 1.15.0.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #36 (comment), it was mentioned again that Transit <v0.6.2 convergent encryption keys are weak (and the v2 convergent encryption scheme was as well, though less so). We should consider fully removing support for these operations so we can avoid a repeat of the vulnerability that occurred as a result of this old code paths being supported.
This probably warrants a bigger discussion about deprecation paths. This version is very old, upstream has not supported it for years, but yet the one-shot upgrade path (and necessity to decrypt existing data and prevent workflow breakage) has caused support to remain.
The text was updated successfully, but these errors were encountered: