Add mciasdb rekey command
- internal/db/accounts.go: add ListAccountsWithTOTP, ListAllPGCredentials, TOTPRekeyRow, PGRekeyRow, and Rekey — atomic transaction that replaces master_key_salt, signing_key_enc/nonce, all TOTP enc/nonce, and all pg_password enc/nonce in one SQLite BEGIN/COMMIT - cmd/mciasdb/rekey.go: runRekey — decrypts all secrets under old master key, prompts for new passphrase (with confirmation), derives new key from fresh Argon2id salt, re-encrypts everything, and commits atomically - cmd/mciasdb/main.go: wire "rekey" command + update usage - Tests: DB-layer tests for ListAccountsWithTOTP, ListAllPGCredentials, Rekey (happy path, empty DB, salt replacement); command-level TestRekeyCommandRoundTrip verifies full round-trip and adversarially confirms old key no longer decrypts after rekey Security: fresh random salt is always generated so a reused passphrase still produces an independent key; old and new master keys are zeroed via defer; no passphrase or key material appears in logs or audit events; the entire re-encryption is done in-memory before the single atomic DB write so the database is never in a mixed state. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -39,6 +39,8 @@
|
||||
//
|
||||
// pgcreds get --id UUID
|
||||
// pgcreds set --id UUID --host H --port P --db D --user U
|
||||
//
|
||||
// rekey
|
||||
package main
|
||||
|
||||
import (
|
||||
@@ -107,6 +109,8 @@ func main() {
|
||||
tool.runAudit(subArgs)
|
||||
case "pgcreds":
|
||||
tool.runPGCreds(subArgs)
|
||||
case "rekey":
|
||||
tool.runRekey(subArgs)
|
||||
default:
|
||||
fatalf("unknown command %q; run with no args for usage", command)
|
||||
}
|
||||
@@ -259,6 +263,9 @@ Commands:
|
||||
pgcreds set --id UUID --host H [--port P] --db D --user U
|
||||
(password is prompted interactively)
|
||||
|
||||
rekey Re-encrypt all secrets under a new master passphrase
|
||||
(prompts interactively; requires server to be stopped)
|
||||
|
||||
NOTE: mciasdb bypasses the mciassrv API and operates directly on the SQLite
|
||||
file. Use it only when the server is unavailable or for break-glass recovery.
|
||||
All write operations are recorded in the audit log.
|
||||
|
||||
@@ -438,3 +438,141 @@ func TestPGCredsGetNotFound(t *testing.T) {
|
||||
t.Fatal("expected ErrNotFound, got nil")
|
||||
}
|
||||
}
|
||||
|
||||
// ---- rekey command tests ----
|
||||
|
||||
// TestRekeyCommandRoundTrip exercises runRekey end-to-end with real AES-256-GCM
|
||||
// encryption and actual Argon2id key derivation. It verifies that all secrets
|
||||
// (signing key, TOTP, pg password) remain accessible after rekey and that the
|
||||
// old master key no longer decrypts the re-encrypted values.
|
||||
//
|
||||
// Note: Argon2id derivation (time=3, memory=128 MiB) makes this test slow (~2 s).
|
||||
func TestRekeyCommandRoundTrip(t *testing.T) {
|
||||
tool := newTestTool(t)
|
||||
|
||||
// ── Setup: signing key encrypted under old master key ──
|
||||
_, privKey, err := crypto.GenerateEd25519KeyPair()
|
||||
if err != nil {
|
||||
t.Fatalf("generate key pair: %v", err)
|
||||
}
|
||||
sigKeyPEM, err := crypto.MarshalPrivateKeyPEM(privKey)
|
||||
if err != nil {
|
||||
t.Fatalf("marshal key: %v", err)
|
||||
}
|
||||
sigEnc, sigNonce, err := crypto.SealAESGCM(tool.masterKey, sigKeyPEM)
|
||||
if err != nil {
|
||||
t.Fatalf("seal signing key: %v", err)
|
||||
}
|
||||
if err := tool.db.WriteServerConfig(sigEnc, sigNonce); err != nil {
|
||||
t.Fatalf("write server config: %v", err)
|
||||
}
|
||||
// WriteMasterKeySalt so ReadServerConfig has a valid salt row.
|
||||
oldSalt, err := crypto.NewSalt()
|
||||
if err != nil {
|
||||
t.Fatalf("gen salt: %v", err)
|
||||
}
|
||||
if err := tool.db.WriteMasterKeySalt(oldSalt); err != nil {
|
||||
t.Fatalf("write salt: %v", err)
|
||||
}
|
||||
|
||||
// ── Setup: account with TOTP ──
|
||||
a, err := tool.db.CreateAccount("rekeyuser", "human", "")
|
||||
if err != nil {
|
||||
t.Fatalf("create account: %v", err)
|
||||
}
|
||||
totpSecret := []byte("JBSWY3DPEHPK3PXP")
|
||||
totpEnc, totpNonce, err := crypto.SealAESGCM(tool.masterKey, totpSecret)
|
||||
if err != nil {
|
||||
t.Fatalf("seal totp: %v", err)
|
||||
}
|
||||
if err := tool.db.SetTOTP(a.ID, totpEnc, totpNonce); err != nil {
|
||||
t.Fatalf("set totp: %v", err)
|
||||
}
|
||||
|
||||
// ── Setup: pg credentials ──
|
||||
pgPass := []byte("pgpassword123")
|
||||
pgEnc, pgNonce, err := crypto.SealAESGCM(tool.masterKey, pgPass)
|
||||
if err != nil {
|
||||
t.Fatalf("seal pg pass: %v", err)
|
||||
}
|
||||
if err := tool.db.WritePGCredentials(a.ID, "localhost", 5432, "mydb", "myuser", pgEnc, pgNonce); err != nil {
|
||||
t.Fatalf("write pg creds: %v", err)
|
||||
}
|
||||
|
||||
// ── Pipe new passphrase twice into stdin ──
|
||||
const newPassphrase = "new-master-passphrase-for-test"
|
||||
r, w, err := os.Pipe()
|
||||
if err != nil {
|
||||
t.Fatalf("create stdin pipe: %v", err)
|
||||
}
|
||||
origStdin := os.Stdin
|
||||
os.Stdin = r
|
||||
t.Cleanup(func() { os.Stdin = origStdin })
|
||||
if _, err := fmt.Fprintf(w, "%s\n%s\n", newPassphrase, newPassphrase); err != nil {
|
||||
t.Fatalf("write stdin: %v", err)
|
||||
}
|
||||
_ = w.Close()
|
||||
|
||||
// ── Execute rekey ──
|
||||
tool.runRekey(nil)
|
||||
|
||||
// ── Derive new key from stored salt + new passphrase ──
|
||||
newSalt, err := tool.db.ReadMasterKeySalt()
|
||||
if err != nil {
|
||||
t.Fatalf("read new salt: %v", err)
|
||||
}
|
||||
newKey, err := crypto.DeriveKey(newPassphrase, newSalt)
|
||||
if err != nil {
|
||||
t.Fatalf("derive new key: %v", err)
|
||||
}
|
||||
defer func() {
|
||||
for i := range newKey {
|
||||
newKey[i] = 0
|
||||
}
|
||||
}()
|
||||
|
||||
// Signing key must decrypt with new key.
|
||||
newSigEnc, newSigNonce, err := tool.db.ReadServerConfig()
|
||||
if err != nil {
|
||||
t.Fatalf("read server config after rekey: %v", err)
|
||||
}
|
||||
decPEM, err := crypto.OpenAESGCM(newKey, newSigNonce, newSigEnc)
|
||||
if err != nil {
|
||||
t.Fatalf("decrypt signing key with new key: %v", err)
|
||||
}
|
||||
if string(decPEM) != string(sigKeyPEM) {
|
||||
t.Error("signing key PEM mismatch after rekey")
|
||||
}
|
||||
|
||||
// Old key must NOT decrypt the re-encrypted signing key.
|
||||
// Security: adversarial check that old key is invalidated.
|
||||
if _, err := crypto.OpenAESGCM(tool.masterKey, newSigNonce, newSigEnc); err == nil {
|
||||
t.Error("old key still decrypts signing key after rekey — ciphertext was not replaced")
|
||||
}
|
||||
|
||||
// TOTP must decrypt with new key.
|
||||
updatedAcct, err := tool.db.GetAccountByUUID(a.UUID)
|
||||
if err != nil {
|
||||
t.Fatalf("get account after rekey: %v", err)
|
||||
}
|
||||
decTOTP, err := crypto.OpenAESGCM(newKey, updatedAcct.TOTPSecretNonce, updatedAcct.TOTPSecretEnc)
|
||||
if err != nil {
|
||||
t.Fatalf("decrypt TOTP with new key: %v", err)
|
||||
}
|
||||
if string(decTOTP) != string(totpSecret) {
|
||||
t.Errorf("TOTP mismatch: got %q, want %q", decTOTP, totpSecret)
|
||||
}
|
||||
|
||||
// pg password must decrypt with new key.
|
||||
updatedCred, err := tool.db.ReadPGCredentials(a.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("read pg creds after rekey: %v", err)
|
||||
}
|
||||
decPG, err := crypto.OpenAESGCM(newKey, updatedCred.PGPasswordNonce, updatedCred.PGPasswordEnc)
|
||||
if err != nil {
|
||||
t.Fatalf("decrypt pg password with new key: %v", err)
|
||||
}
|
||||
if string(decPG) != string(pgPass) {
|
||||
t.Errorf("pg password mismatch: got %q, want %q", decPG, pgPass)
|
||||
}
|
||||
}
|
||||
|
||||
154
cmd/mciasdb/rekey.go
Normal file
154
cmd/mciasdb/rekey.go
Normal file
@@ -0,0 +1,154 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcias/internal/crypto"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/db"
|
||||
)
|
||||
|
||||
// runRekey re-encrypts all secrets under a new passphrase-derived master key.
|
||||
//
|
||||
// The current master key (already loaded in tool.masterKey by openDB) is used
|
||||
// to decrypt every encrypted secret: the Ed25519 signing key, all TOTP secrets,
|
||||
// and all Postgres credential passwords. The operator is then prompted for a
|
||||
// new passphrase (confirmed), a fresh Argon2id salt is generated, a new 256-bit
|
||||
// master key is derived, and all secrets are re-encrypted and written back in a
|
||||
// single atomic SQLite transaction.
|
||||
//
|
||||
// Security: The entire re-encryption happens in memory first; the database is
|
||||
// only updated once all ciphertext has been produced successfully. The new
|
||||
// salt replaces the old salt atomically within the same transaction so the
|
||||
// database is never left in a mixed state. Both the old and new master keys
|
||||
// are zeroed in deferred cleanup. No secret material is logged or printed.
|
||||
func (t *tool) runRekey(_ []string) {
|
||||
// ── 1. Decrypt signing key under old master key ──────────────────────
|
||||
sigKeyEnc, sigKeyNonce, err := t.db.ReadServerConfig()
|
||||
if err != nil {
|
||||
fatalf("read server config: %v", err)
|
||||
}
|
||||
sigKeyPEM, err := crypto.OpenAESGCM(t.masterKey, sigKeyNonce, sigKeyEnc)
|
||||
if err != nil {
|
||||
fatalf("decrypt signing key: %v", err)
|
||||
}
|
||||
|
||||
// ── 2. Decrypt all TOTP secrets under old master key ─────────────────
|
||||
totpAccounts, err := t.db.ListAccountsWithTOTP()
|
||||
if err != nil {
|
||||
fatalf("list accounts with TOTP: %v", err)
|
||||
}
|
||||
type totpPlain struct {
|
||||
secret []byte
|
||||
accountID int64
|
||||
}
|
||||
totpPlaintexts := make([]totpPlain, 0, len(totpAccounts))
|
||||
for _, a := range totpAccounts {
|
||||
pt, err := crypto.OpenAESGCM(t.masterKey, a.TOTPSecretNonce, a.TOTPSecretEnc)
|
||||
if err != nil {
|
||||
fatalf("decrypt TOTP secret for account %s: %v", a.Username, err)
|
||||
}
|
||||
totpPlaintexts = append(totpPlaintexts, totpPlain{accountID: a.ID, secret: pt})
|
||||
}
|
||||
|
||||
// ── 3. Decrypt all pg_credentials passwords under old master key ──────
|
||||
pgCreds, err := t.db.ListAllPGCredentials()
|
||||
if err != nil {
|
||||
fatalf("list pg credentials: %v", err)
|
||||
}
|
||||
type pgPlain struct {
|
||||
password []byte
|
||||
credID int64
|
||||
}
|
||||
pgPlaintexts := make([]pgPlain, 0, len(pgCreds))
|
||||
for _, c := range pgCreds {
|
||||
pt, err := crypto.OpenAESGCM(t.masterKey, c.PGPasswordNonce, c.PGPasswordEnc)
|
||||
if err != nil {
|
||||
fatalf("decrypt pg password for credential %d: %v", c.ID, err)
|
||||
}
|
||||
pgPlaintexts = append(pgPlaintexts, pgPlain{credID: c.ID, password: pt})
|
||||
}
|
||||
|
||||
// ── 4. Prompt for new passphrase (confirmed) ──────────────────────────
|
||||
fmt.Fprintln(os.Stderr, "Enter new master passphrase (will not echo):")
|
||||
newPassphrase, err := readPassword("New passphrase: ")
|
||||
if err != nil {
|
||||
fatalf("read passphrase: %v", err)
|
||||
}
|
||||
if newPassphrase == "" {
|
||||
fatalf("passphrase must not be empty")
|
||||
}
|
||||
confirm, err := readPassword("Confirm passphrase: ")
|
||||
if err != nil {
|
||||
fatalf("read passphrase confirmation: %v", err)
|
||||
}
|
||||
if newPassphrase != confirm {
|
||||
fatalf("passphrases do not match")
|
||||
}
|
||||
|
||||
// ── 5. Derive new master key ──────────────────────────────────────────
|
||||
// Security: a fresh random salt is generated for every rekey so that the
|
||||
// new key is independent of the old key even if the same passphrase is
|
||||
// reused. The new salt is stored atomically with the re-encrypted secrets.
|
||||
newSalt, err := crypto.NewSalt()
|
||||
if err != nil {
|
||||
fatalf("generate new salt: %v", err)
|
||||
}
|
||||
newKey, err := crypto.DeriveKey(newPassphrase, newSalt)
|
||||
if err != nil {
|
||||
fatalf("derive new master key: %v", err)
|
||||
}
|
||||
// Zero both keys when done, regardless of outcome.
|
||||
defer func() {
|
||||
for i := range newKey {
|
||||
newKey[i] = 0
|
||||
}
|
||||
}()
|
||||
|
||||
// ── 6. Re-encrypt signing key ─────────────────────────────────────────
|
||||
newSigKeyEnc, newSigKeyNonce, err := crypto.SealAESGCM(newKey, sigKeyPEM)
|
||||
if err != nil {
|
||||
fatalf("re-encrypt signing key: %v", err)
|
||||
}
|
||||
|
||||
// ── 7. Re-encrypt TOTP secrets ────────────────────────────────────────
|
||||
totpRows := make([]db.TOTPRekeyRow, 0, len(totpPlaintexts))
|
||||
for _, tp := range totpPlaintexts {
|
||||
enc, nonce, err := crypto.SealAESGCM(newKey, tp.secret)
|
||||
if err != nil {
|
||||
fatalf("re-encrypt TOTP secret for account %d: %v", tp.accountID, err)
|
||||
}
|
||||
totpRows = append(totpRows, db.TOTPRekeyRow{
|
||||
AccountID: tp.accountID,
|
||||
Enc: enc,
|
||||
Nonce: nonce,
|
||||
})
|
||||
}
|
||||
|
||||
// ── 8. Re-encrypt pg_credentials passwords ────────────────────────────
|
||||
pgRows := make([]db.PGRekeyRow, 0, len(pgPlaintexts))
|
||||
for _, pp := range pgPlaintexts {
|
||||
enc, nonce, err := crypto.SealAESGCM(newKey, pp.password)
|
||||
if err != nil {
|
||||
fatalf("re-encrypt pg password for credential %d: %v", pp.credID, err)
|
||||
}
|
||||
pgRows = append(pgRows, db.PGRekeyRow{
|
||||
CredentialID: pp.credID,
|
||||
Enc: enc,
|
||||
Nonce: nonce,
|
||||
})
|
||||
}
|
||||
|
||||
// ── 9. Atomic commit ──────────────────────────────────────────────────
|
||||
if err := t.db.Rekey(newSalt, newSigKeyEnc, newSigKeyNonce, totpRows, pgRows); err != nil {
|
||||
fatalf("rekey database: %v", err)
|
||||
}
|
||||
|
||||
if err := t.db.WriteAuditEvent("master_key_rekeyed", nil, nil, "", `{"actor":"mciasdb"}`); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
|
||||
}
|
||||
|
||||
fmt.Printf("Rekey complete: %d TOTP secrets and %d pg credentials re-encrypted.\n",
|
||||
len(totpRows), len(pgRows))
|
||||
fmt.Fprintln(os.Stderr, "Update your mcias.toml or passphrase environment variable to use the new passphrase.")
|
||||
}
|
||||
Reference in New Issue
Block a user