Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -141,7 +141,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
|
||||
defer crypto.Zeroize(kwk)
|
||||
|
||||
// Encrypt MEK with KWK.
|
||||
encryptedMEK, err := crypto.Encrypt(kwk, mek)
|
||||
encryptedMEK, err := crypto.Encrypt(kwk, mek, nil)
|
||||
if err != nil {
|
||||
crypto.Zeroize(mek)
|
||||
return fmt.Errorf("seal: encrypt mek: %w", err)
|
||||
@@ -220,7 +220,7 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
kwk := crypto.DeriveKey(password, salt, params)
|
||||
defer crypto.Zeroize(kwk)
|
||||
|
||||
mek, err := crypto.Decrypt(kwk, encryptedMEK)
|
||||
mek, err := crypto.Decrypt(kwk, encryptedMEK, nil)
|
||||
if err != nil {
|
||||
m.logger.Debug("unseal failed: invalid password")
|
||||
return ErrInvalidPassword
|
||||
@@ -239,6 +239,79 @@ func (m *Manager) Unseal(password []byte) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// RotateMEK generates a new MEK, re-wraps all DEKs in the barrier, and
|
||||
// updates the encrypted MEK in seal_config. The password is required to
|
||||
// derive the KWK for re-encrypting the new MEK.
|
||||
func (m *Manager) RotateMEK(ctx context.Context, password []byte) error {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
if m.state != StateUnsealed {
|
||||
return ErrSealed
|
||||
}
|
||||
|
||||
// Read seal config for KDF params.
|
||||
var (
|
||||
salt []byte
|
||||
argTime, argMem uint32
|
||||
argThreads uint8
|
||||
)
|
||||
err := m.db.QueryRow(`
|
||||
SELECT kdf_salt, argon2_time, argon2_memory, argon2_threads
|
||||
FROM seal_config WHERE id = 1`).Scan(&salt, &argTime, &argMem, &argThreads)
|
||||
if err != nil {
|
||||
return fmt.Errorf("seal: read config: %w", err)
|
||||
}
|
||||
|
||||
// Verify password by decrypting existing MEK.
|
||||
params := crypto.Argon2Params{Time: argTime, Memory: argMem, Threads: argThreads}
|
||||
kwk := crypto.DeriveKey(password, salt, params)
|
||||
defer crypto.Zeroize(kwk)
|
||||
|
||||
var encryptedMEK []byte
|
||||
err = m.db.QueryRow("SELECT encrypted_mek FROM seal_config WHERE id = 1").Scan(&encryptedMEK)
|
||||
if err != nil {
|
||||
return fmt.Errorf("seal: read encrypted mek: %w", err)
|
||||
}
|
||||
_, err = crypto.Decrypt(kwk, encryptedMEK, nil)
|
||||
if err != nil {
|
||||
return ErrInvalidPassword
|
||||
}
|
||||
|
||||
// Generate new MEK.
|
||||
newMEK, err := crypto.GenerateKey()
|
||||
if err != nil {
|
||||
return fmt.Errorf("seal: generate new mek: %w", err)
|
||||
}
|
||||
|
||||
// Re-wrap all DEKs with new MEK.
|
||||
if err := m.barrier.ReWrapKeys(ctx, newMEK); err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: re-wrap keys: %w", err)
|
||||
}
|
||||
|
||||
// Encrypt new MEK with KWK.
|
||||
newEncMEK, err := crypto.Encrypt(kwk, newMEK, nil)
|
||||
if err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: encrypt new mek: %w", err)
|
||||
}
|
||||
|
||||
// Update seal_config.
|
||||
_, err = m.db.ExecContext(ctx,
|
||||
"UPDATE seal_config SET encrypted_mek = ? WHERE id = 1", newEncMEK)
|
||||
if err != nil {
|
||||
crypto.Zeroize(newMEK)
|
||||
return fmt.Errorf("seal: update seal config: %w", err)
|
||||
}
|
||||
|
||||
// Swap in-memory MEK.
|
||||
crypto.Zeroize(m.mek)
|
||||
m.mek = newMEK
|
||||
m.logger.Info("MEK rotated successfully")
|
||||
return nil
|
||||
}
|
||||
|
||||
// Seal seals the service: zeroizes MEK, seals the barrier.
|
||||
func (m *Manager) Seal() error {
|
||||
m.mu.Lock()
|
||||
|
||||
@@ -120,6 +120,94 @@ func TestSealCheckInitializedPersists(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealRotateMEK(t *testing.T) {
|
||||
mgr, cleanup := setupSeal(t)
|
||||
defer cleanup()
|
||||
ctx := context.Background()
|
||||
_ = mgr.CheckInitialized()
|
||||
|
||||
password := []byte("test-password")
|
||||
params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
|
||||
_ = mgr.Initialize(ctx, password, params)
|
||||
|
||||
// Create a DEK and write data through the barrier.
|
||||
b := mgr.Barrier()
|
||||
_ = b.CreateKey(ctx, "system")
|
||||
_ = b.CreateKey(ctx, "engine/ca/prod")
|
||||
_ = b.Put(ctx, "policy/rule1", []byte("policy-data"))
|
||||
_ = b.Put(ctx, "engine/ca/prod/cert", []byte("cert-data"))
|
||||
|
||||
// Rotate MEK.
|
||||
if err := mgr.RotateMEK(ctx, password); err != nil {
|
||||
t.Fatalf("RotateMEK: %v", err)
|
||||
}
|
||||
|
||||
// Data should still be readable.
|
||||
got, err := b.Get(ctx, "policy/rule1")
|
||||
if err != nil {
|
||||
t.Fatalf("Get after MEK rotation: %v", err)
|
||||
}
|
||||
if string(got) != "policy-data" {
|
||||
t.Fatalf("data: got %q", got)
|
||||
}
|
||||
|
||||
got2, err := b.Get(ctx, "engine/ca/prod/cert")
|
||||
if err != nil {
|
||||
t.Fatalf("Get engine data after MEK rotation: %v", err)
|
||||
}
|
||||
if string(got2) != "cert-data" {
|
||||
t.Fatalf("data: got %q", got2)
|
||||
}
|
||||
|
||||
// Seal and unseal with the same password should work
|
||||
// (the new MEK is now encrypted with the KWK).
|
||||
if err := mgr.Seal(); err != nil {
|
||||
t.Fatalf("Seal: %v", err)
|
||||
}
|
||||
if err := mgr.Unseal(password); err != nil {
|
||||
t.Fatalf("Unseal after MEK rotation: %v", err)
|
||||
}
|
||||
|
||||
got3, err := b.Get(ctx, "engine/ca/prod/cert")
|
||||
if err != nil {
|
||||
t.Fatalf("Get after seal/unseal: %v", err)
|
||||
}
|
||||
if string(got3) != "cert-data" {
|
||||
t.Fatalf("data after seal/unseal: got %q", got3)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealRotateMEKWrongPassword(t *testing.T) {
|
||||
mgr, cleanup := setupSeal(t)
|
||||
defer cleanup()
|
||||
ctx := context.Background()
|
||||
_ = mgr.CheckInitialized()
|
||||
|
||||
params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
|
||||
_ = mgr.Initialize(ctx, []byte("correct"), params)
|
||||
|
||||
err := mgr.RotateMEK(ctx, []byte("wrong"))
|
||||
if !errors.Is(err, ErrInvalidPassword) {
|
||||
t.Fatalf("expected ErrInvalidPassword, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealRotateMEKWhenSealed(t *testing.T) {
|
||||
mgr, cleanup := setupSeal(t)
|
||||
defer cleanup()
|
||||
ctx := context.Background()
|
||||
_ = mgr.CheckInitialized()
|
||||
|
||||
params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
|
||||
_ = mgr.Initialize(ctx, []byte("password"), params)
|
||||
_ = mgr.Seal()
|
||||
|
||||
err := mgr.RotateMEK(ctx, []byte("password"))
|
||||
if !errors.Is(err, ErrSealed) {
|
||||
t.Fatalf("expected ErrSealed, got: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealStateString(t *testing.T) {
|
||||
tests := []struct {
|
||||
want string
|
||||
|
||||
Reference in New Issue
Block a user