From eb47d6a7ca0dabb7451240fcb61df11fad57fda2 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Sat, 30 May 2020 17:57:59 +0200 Subject: [PATCH] WIP encryption is not easy --- docker/bckp/kv_to_s3.go | 54 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 3 deletions(-) diff --git a/docker/bckp/kv_to_s3.go b/docker/bckp/kv_to_s3.go index 76dc0d7..4cc2133 100644 --- a/docker/bckp/kv_to_s3.go +++ b/docker/bckp/kv_to_s3.go @@ -1,21 +1,42 @@ package main import ( "github.com/hashicorp/consul/api" - /*"crypto/aes"*/ + "errors" "log" + "fmt" + "os" + "encoding/base64" /*"github.com/aws/aws-sdk-go/service/s3"*/ ) +const consul_addr string = "KV2S3_CONSUL_ADDR" +const enc_key string = "KV2S3_ENC_KEY" + +const key_exp_bits int = 256 +const key_exp_bytes int = key_exp_bits / 8 + func errIsPanic(err error, format string, a ...interface{}) { if err != nil { log.Panicf(format, a...) } } +func absentIsErr(present bool) error { + if !present { + return errors.New("Environement variable is not set.") + } + return nil +} + func main() { log.Println("starting consul kv backup...") + + //--- Ask Consul to Snapshot our KV + var present bool conf := api.DefaultConfig() - //@FIXME add later support for a different URL + conf.Address, present = os.LookupEnv(consul_addr) + err := absentIsErr(present) + errIsPanic(err, "%v env required. %v", consul_addr, err) //@FIXME add later support for HTTPS options := api.QueryOptions { @@ -26,9 +47,36 @@ func main() { consul, err := api.NewClient(conf) errIsPanic(err, "Unable to build a new client. %v", err) - _, _, err = consul.Snapshot().Save(&options) + reader, _, err := consul.Snapshot().Save(&options) errIsPanic(err, "Snapshot failed. %v", err) + //--- Get encryption key and check it + b64_key, present := os.LookupEnv(enc_key) + err = absentIsErr(present) + errIsPanic(err, "%v env required. %v", enc_key, err) + raw_key, err := base64.StdEncoding.DecodeString(b64_key) + errIsPanic(err, "Unable to decode base64 key. %v", err) + + err = nil + key_size_bytes := len(raw_key) + key_size_bits := key_size_bytes + + if key_size_bytes != key_exp_bytes { + msg := fmt.Sprintf( + "Key size is %d bits (%d bytes) instead of %d bits (%d bytes).", + key_size_bits, + key_size_bytes, + key_exp_bits, + key_exp_bytes) + + err = errors.New(msg) + } + errIsPanic(err, "We deliberately support only 256 bits (32 bytes) keys. %v", err) + + //--- Encryption + // Not a simple thing to do it in a streaming manner + // To understand why age by Filippo Valsorda seems to be a good fit: + // https://neilmadden.blog/2019/12/30/a-few-comments-on-age/ }