Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs stored in a new barrier_keys table, rather than encrypting all barrier entries directly. A v2 ciphertext format (0x02) embeds the key ID so the barrier can resolve which DEK to use on decryption. v1 ciphertext remains supported for backward compatibility. Key changes: - crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs - barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys) - seal: RotateMEK re-wraps DEKs without re-encrypting data - engine: Mount auto-creates per-engine DEK - REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate - proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate - db: migration v2 adds barrier_keys table Also includes: security audit report, CSRF protection, engine design specs (sshca, transit, user), path-bound AAD migration tool, policy engine enhancements, and ARCHITECTURE.md updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 18:27:44 -07:00
parent ac4577f778
commit 64d921827e
44 changed files with 5184 additions and 90 deletions
--- a/internal/seal/seal.go
+++ b/internal/seal/seal.go
@@ -141,7 +141,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
 	defer crypto.Zeroize(kwk)

 	// Encrypt MEK with KWK.
-	encryptedMEK, err := crypto.Encrypt(kwk, mek)
+	encryptedMEK, err := crypto.Encrypt(kwk, mek, nil)
 	if err != nil {
 		crypto.Zeroize(mek)
 		return fmt.Errorf("seal: encrypt mek: %w", err)
@@ -220,7 +220,7 @@ func (m *Manager) Unseal(password []byte) error {
 	kwk := crypto.DeriveKey(password, salt, params)
 	defer crypto.Zeroize(kwk)

-	mek, err := crypto.Decrypt(kwk, encryptedMEK)
+	mek, err := crypto.Decrypt(kwk, encryptedMEK, nil)
 	if err != nil {
 		m.logger.Debug("unseal failed: invalid password")
 		return ErrInvalidPassword
@@ -239,6 +239,79 @@ func (m *Manager) Unseal(password []byte) error {
 	return nil
 }

+// RotateMEK generates a new MEK, re-wraps all DEKs in the barrier, and
+// updates the encrypted MEK in seal_config. The password is required to
+// derive the KWK for re-encrypting the new MEK.
+func (m *Manager) RotateMEK(ctx context.Context, password []byte) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.state != StateUnsealed {
+		return ErrSealed
+	}
+
+	// Read seal config for KDF params.
+	var (
+		salt            []byte
+		argTime, argMem uint32
+		argThreads      uint8
+	)
+	err := m.db.QueryRow(`
+		SELECT kdf_salt, argon2_time, argon2_memory, argon2_threads
+		FROM seal_config WHERE id = 1`).Scan(&salt, &argTime, &argMem, &argThreads)
+	if err != nil {
+		return fmt.Errorf("seal: read config: %w", err)
+	}
+
+	// Verify password by decrypting existing MEK.
+	params := crypto.Argon2Params{Time: argTime, Memory: argMem, Threads: argThreads}
+	kwk := crypto.DeriveKey(password, salt, params)
+	defer crypto.Zeroize(kwk)
+
+	var encryptedMEK []byte
+	err = m.db.QueryRow("SELECT encrypted_mek FROM seal_config WHERE id = 1").Scan(&encryptedMEK)
+	if err != nil {
+		return fmt.Errorf("seal: read encrypted mek: %w", err)
+	}
+	_, err = crypto.Decrypt(kwk, encryptedMEK, nil)
+	if err != nil {
+		return ErrInvalidPassword
+	}
+
+	// Generate new MEK.
+	newMEK, err := crypto.GenerateKey()
+	if err != nil {
+		return fmt.Errorf("seal: generate new mek: %w", err)
+	}
+
+	// Re-wrap all DEKs with new MEK.
+	if err := m.barrier.ReWrapKeys(ctx, newMEK); err != nil {
+		crypto.Zeroize(newMEK)
+		return fmt.Errorf("seal: re-wrap keys: %w", err)
+	}
+
+	// Encrypt new MEK with KWK.
+	newEncMEK, err := crypto.Encrypt(kwk, newMEK, nil)
+	if err != nil {
+		crypto.Zeroize(newMEK)
+		return fmt.Errorf("seal: encrypt new mek: %w", err)
+	}
+
+	// Update seal_config.
+	_, err = m.db.ExecContext(ctx,
+		"UPDATE seal_config SET encrypted_mek = ? WHERE id = 1", newEncMEK)
+	if err != nil {
+		crypto.Zeroize(newMEK)
+		return fmt.Errorf("seal: update seal config: %w", err)
+	}
+
+	// Swap in-memory MEK.
+	crypto.Zeroize(m.mek)
+	m.mek = newMEK
+	m.logger.Info("MEK rotated successfully")
+	return nil
+}
+
 // Seal seals the service: zeroizes MEK, seals the barrier.
 func (m *Manager) Seal() error {
 	m.mu.Lock()