feat(encryption): refactor encryption provider scripts, update KMS integration, and enhance key management

This commit is contained in:
2025-05-12 22:43:42 +02:00
parent 05d1624bdd
commit 15b07ea85d
19 changed files with 497 additions and 39 deletions
@@ -1,6 +1,8 @@
#!/bin/bash
if [ "$#" -ne 3 ]; then
echo "Usage: $0 <keyserver>" "<image>" "<device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img <device>"
echo "Example: $0 https://keyserver.example.com /path/to/image.img /dev/mapper/crypt1"
exit 1
fi
@@ -0,0 +1,78 @@
#!/bin/bash
#!/bin/bash
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <keyserver>" "[socket]"
echo "Example: $0 https://keyserver.example.com"
echo "Example: $0 https://keyserver.example.com /var/run/kmsplugin/socket.sock"
exit 1
fi
KEYSERVER=$1
SOCKET=${2:-/var/run/kmsplugin/socket.sock}
# if keyserver is not reachable, exit
if ! curl -s -I $KEYSERVER > /dev/null; then
logger "start_encryption_provider: Key server not reachable, exiting."
exit 1
fi
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')
logger "start_encryption_provider: Downloading key from key server,"
LOCALKEYFILE=$(mktemp)
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID-encryption-service-credentials.json
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to download key from key server"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Key downloaded successfully, extracting credentials"
export AWS_ACCESS_KEY_ID=$(jq -r '.access_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
export AWS_SECRET_ACCESS_KEY=$(jq -r '.secret_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
rm $LOCALKEYFILE
exit 1
fi
KEYARN=$(jq -r '.key_arn' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract KMS key ARN from key file"
rm $LOCALKEYFILE
exit 1
fi
REGION=$(jq -r '.region' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to extract region from key file"
rm $LOCALKEYFILE
exit 1
fi
logger "start_encryption_provider: Removing key file"
rm $LOCALKEYFILE
logger "start_encryption_provider: Starting encryption provider"
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null
if [ ! -f /usr/local/bin/aws-encryption-provider ]; then
logger "start_encryption_provider: Encryption provider not found, exiting."
exit 1
fi
/usr/local/bin/aws-encryption-provider --key=$KEYARN --region=$REGION --listen=$SOCKET
if [ $? -ne 0 ]; then
logger "start_encryption_provider: Failed to start encryption provider"
exit 1
fi
exit 0