Generate random salt for key derivation on init (#309)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-05-02 22:34:56 -04:00 · 2022-07-29 09:52:47 +02:00 · 2022-07-29 09:52:47 +02:00 · 9a3bd38912
commit 9a3bd38912
parent e0ce2e8a51
25 changed files with 342 additions and 317 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
@ -23,8 +23,18 @@ type kmsDeployment struct {
 	ImagePullSecret    k8s.Secret
 }

+// KMSConfig is the configuration needed to set up Constellation's key management service.
+type KMSConfig struct {
+	MasterSecret       []byte
+	Salt               []byte
+	KMSURI             string
+	StorageURI         string
+	KeyEncryptionKeyID string
+	UseExistingKEK     bool
+}
+
 // NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation.
-func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
+func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
 	return &kmsDeployment{
 		ServiceAccount: k8s.ServiceAccount{
 			TypeMeta: meta.TypeMeta{
@ -187,7 +197,11 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
 													Items: []k8s.KeyToPath{
 														{
 															Key:  constants.ConstellationMasterSecretKey,
-															Path: constants.MasterSecretFilename,
+															Path: constants.ConstellationMasterSecretKey,
+														},
+														{
+															Key:  constants.ConstellationMasterSecretSalt,
+															Path: constants.ConstellationMasterSecretSalt,
 														},
 													},
 												},
@ -228,7 +242,8 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
 				Namespace: "kube-system",
 			},
 			Data: map[string][]byte{
-				constants.ConstellationMasterSecretKey: masterSecret,
+				constants.ConstellationMasterSecretKey:  config.MasterSecret,
+				constants.ConstellationMasterSecretSalt: config.Salt,
 			},
 			Type: "Opaque",
 		},
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms_test.go
@ -11,8 +11,7 @@ func TestKMSMarshalUnmarshal(t *testing.T) {
 	require := require.New(t)
 	assert := assert.New(t)

-	testMS := []byte{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8}
-	kmsDepl := NewKMSDeployment("test", testMS)
+	kmsDepl := NewKMSDeployment("test", KMSConfig{MasterSecret: []byte{0x0, 0x1, 0x2}, Salt: []byte{0x3, 0x4, 0x5}})
 	data, err := kmsDepl.Marshal()
 	require.NoError(err)