DRAFT feat: implement client-side remote state encryption (#297) #383
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is not intended for merging as is, but is for the discussions on #297
Resolves parts of #297 (but does not meet all requirements)
Target Release
NOT APPLICABLE
Draft CHANGELOG entry
Add client side encryption of the entire state for all remote state storage backends except the enhanced backends.
ENHANCEMENTS
Summary:
Add client side encryption of the entire state for all remote state storage backends except the enhanced backends.
What gets sent to the remote state storage just looks like this:
{"crypted":"e93e3e7ad343405525...dda4fc061"}
The idea is that even the company that operates the remote state storage cannot read it. Of course, one should still configure all other protection mechanisms on the remote storage, this is just one layer of security, but I think it's a very important one.
Features:
The change to existing code is minimal, see
internal/states/remote/states.go
, I have basically inserted the encryption/decryption at the point at which Client.Get / Client.Put are invoked. As the result of the encryption is again json, this should hopefully work with all Clients with zero changes.Successfully tested with the azure backend ONLY, but there this code has seen more than a year of production use.
Limitations
I have marked this feature experimental in the documentation, I do not have the resources to test it with all remote backends.
I assume it will not work with enhanced backends because these need access to the state.