feat(encryption): refactor encryption provider scripts, update KMS integration, and enhance key management

This commit is contained in:
2025-05-12 22:43:42 +02:00
parent 05d1624bdd
commit 15b07ea85d
19 changed files with 497 additions and 39 deletions
@@ -2,9 +2,4 @@
encryption_volumes: []
encryption_volumes_path: /var/lib/encrypted_volumes
encryption_volumes_default_size: 1G
encryption_aws_access_key_id:
encryption_aws_secret_access_key:
encryption_kms_arn:
encryption_kms_region: eu-west-1
encryption_kms_socket: /var/run/kmsplugin/socket.sock
@@ -1,6 +1,8 @@
#!/bin/bash
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <keyserver>" "<image>" "<device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img <device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img /dev/mapper/crypt1"
exit 1
fi
@@ -0,0 +1,78 @@
#!/bin/bash
#!/bin/bash
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <keyserver>" "[socket]"
echo "Example: $0 https://keyserver.example.com"
echo "Example: $0 https://keyserver.example.com /var/run/kmsplugin/socket.sock"
exit 1
fi
KEYSERVER=$1
SOCKET=${2:-/var/run/kmsplugin/socket.sock}
# if keyserver is not reachable, exit
if ! curl -s -I $KEYSERVER > /dev/null; then
logger "start_encryption_provider: Key server not reachable, exiting."
exit 1
fi
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')
logger "start_encryption_provider: Downloading key from key server,"
LOCALKEYFILE=$(mktemp)
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID-encryption-service-credentials.json
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to download key from key server"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Key downloaded successfully, extracting credentials"
export AWS_ACCESS_KEY_ID=$(jq -r '.access_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
export AWS_SECRET_ACCESS_KEY=$(jq -r '.secret_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
KEYARN=$(jq -r '.key_arn' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract KMS key ARN from key file"
rm $LOCALKEYFILE
exit 1
fi
REGION=$(jq -r '.region' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract region from key file"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Removing key file"
rm $LOCALKEYFILE
logger "start_encryption_provider: Starting encryption provider"
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null
if [ ! -f /usr/local/bin/aws-encryption-provider ]; then
logger "start_encryption_provider: Encryption provider not found, exiting."
exit 1
fi
/usr/local/bin/aws-encryption-provider --key=$KEYARN --region=$REGION --listen=$SOCKET
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to start encryption provider"
exit 1
fi
exit 0
+3 -20
View File
@@ -1,33 +1,16 @@
- name: Check if required facts are set
ansible.builtin.fail:
msg: "The following variables are required: encryption_aws_access_key_id, encryption_aws_secret_access_key, encryption_kms_arn"
when:
- encryption_aws_access_key_id is not defined
- encryption_aws_secret_access_key is not defined
- encryption_kms_arn is not defined
- name: Copy aws-encryption-provider binary to the host
become: true
ansible.builtin.copy:
src: aws-encryption-provider
dest: /usr/local/bin/aws-encryption-provider
mode: '0755'
- name: Copy start script to the host
become: true
ansible.builtin.template:
src: start-encryption-provider.sh.j2
dest: /usr/local/bin/start-encryption-provider.sh
mode: '0755'
owner: root
group: root
mode: "0755"
- name: Create KMS socket directory
become: true
ansible.builtin.file:
path: /var/run/kmsplugin
state: directory
mode: '0755'
mode: "0755"
owner: root
group: root
@@ -36,7 +19,7 @@
ansible.builtin.template:
src: aws-encryption-provider.service.j2
dest: /etc/systemd/system/aws-encryption-provider.service
mode: '0644'
mode: "0644"
- name: Reload systemd daemon
become: true
+3 -3
View File
@@ -28,8 +28,9 @@
dest: "/usr/local/bin/"
mode: "0750"
with_items:
- "open_volume"
- "read_system_id"
- open_volume
- read_system_id
- start_encryption_provider
tags:
- roles::encryption::volume
@@ -43,6 +44,5 @@
- name: Create KMS service
ansible.builtin.include_tasks: kms.yml
when: encryption_aws_access_key_id is defined and encryption_aws_secret_access_key is defined and encryption_kms_arn is defined
tags:
- roles::encryption::kms
@@ -5,7 +5,7 @@ Before=snap.microk8s.daemon-kubelite.service
[Service]
Type=simple
ExecStart=/usr/local/bin/start-encryption-provider.sh
ExecStart=/usr/local/bin/start_encryption_provider "{{ key_server }}" "{{ encryption_kms_socket }}"
Restart=on-failure
User=root
@@ -1,6 +0,0 @@
#!/bin/bash
# This script is used to start the encryption provider for the application.
# Managed by Ansible.
export AWS_ACCESS_KEY_ID={{ encryption_aws_access_key_id }}
export AWS_SECRET_ACCESS_KEY={{ encryption_aws_secret_access_key }}
/usr/local/bin/aws-encryption-provider --key={{ encryption_kms_arn }} --region={{ encryption_kms_region }} --listen={{ encryption_kms_socket }}