Remove algorithm from crypto config #3467
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Relates to #3315 Previously, it was possible to set a default and fallback algorithm. This seemed like a good idea at the time but I came to realize the following: 1) Unlike the key, the algorithm is not an external piece of data - it corresponds to something implemented in the codebase. We cannot introduce new algorithms without changing the code. 2) After pairing on a key rotation with Ozz, I realized that the relationship between the key ID and the algorithm in the config is not really intuitive, and is likely to cause confusion which could result in us breaking our ability to decrypt secrets. This PR removes the algorithm from the config and defines the default vs fallback in the code. As part of this change, the new GCM algorithm becomes the default for everyone, and this required changing some tests to use real encryption keys (the old CFB algorithm would accept arbitrary strings as keys, the GCM cipher expects a base64-encoded 32-byte key).
jhrozek
approved these changes
May 30, 2024
JAORMX
approved these changes
May 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #3315
Previously, it was possible to set a default and fallback algorithm in the crypto config. This seemed like a good idea at the time but I came to realize the following:
corresponds to something implemented in the codebase. We cannot
introduce new algorithms without changing the code.
relationship between the key ID and the algorithm in the config is
not really intuitive, and is likely to cause confusion which could
result in us breaking our ability to decrypt secrets.
This PR removes the algorithm from the config and defines the default vs fallback in the code. As part of this change, the new GCM algorithm becomes the default for everyone, and this required changing some tests to use real encryption keys (the old CFB algorithm would accept arbitrary strings as keys, the GCM cipher expects a base64-encoded 32-byte key).
Summary
Provide a brief overview of the changes and the issue being addressed.
Explain the rationale and any background necessary for understanding the changes.
List dependencies required by this change, if any.
Fixes #(related issue)
Change Type
Mark the type of change your PR introduces:
Testing
Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.
Review Checklist: