encryption: add cli command cockroach gen encryption-key#26167
encryption: add cli command cockroach gen encryption-key#26167craig[bot] merged 1 commit intocockroachdb:masterfrom
cockroach gen encryption-key#26167Conversation
|
This change is |
pkg/cli/gen.go
Outdated
| Short: "generate store key for encryption at rest", | ||
| Long: `Generate store key for encryption at rest. | ||
|
|
||
| If no size is specified through "--size=48", the size of the key will be 16 |
There was a problem hiding this comment.
We should ask for the AES size, not the file size, otherwise there's little point in having this utility.
We should also require the filename and make it an argument, not a flag value.
eg:
cockroach gen encryption-key -s 128 keys/aes-128.key
There was a problem hiding this comment.
Should we require user to input AES size, or use 128 by default?
There was a problem hiding this comment.
128 is a reasonable default flag value.
pkg/cli/gen.go
Outdated
| } | ||
|
|
||
| // Create the file that stores the key. | ||
| keyFile, err := os.Create(encryptionKeyPath) |
There was a problem hiding this comment.
We should create this file with mode 0600 (owner read/write)
|
@mberhault Updated. But I'm a bit confused why you said this: |
|
The main idea behind the CLI is to make it easier for people to generate a key. A bit part of the weirdness if the extra 32 bytes needed as a key ID. So asking for the file size (as opposed to the real key size) doesn't remove that confusion. |
|
Thanks for the clarification! |
pkg/cli/gen.go
Outdated
There was a problem hiding this comment.
uh. That's what os.OpenFile is for, you can open a file with a specific mode. Or dump this entire section and use ioutil.WriteFile, it does exactly what you want.
pkg/cli/gen.go
Outdated
There was a problem hiding this comment.
Let's add a message to stdout upon success. eg: successfully created AES-128 key: keys/aes-128.key
pkg/cli/gen.go
Outdated
|
Done! |
pkg/cli/gen.go
Outdated
| // 32 bytes are reserved for key ID. | ||
| keySize := aesSize/8 + 32 | ||
| b := make([]byte, keySize) | ||
| if n, err := rand.Read(b); err != nil || n != keySize { |
There was a problem hiding this comment.
you can skip the n != keySize, crypto/rand.Read guarantees that n == len(b) when err == nil.
Added cli command `cockroach gen encryption-key` to generate store keys for encryption at rest. Encryption CLI: cockroachdb#19783. Release note: None
|
bors r+ |
26143: opt: Enable additional logic tests for opt configs r=andy-kimball a=andy-kimball Enable more logic tests (orms -> snapshot_unrelated_update). Fix various bugs and issues that were failing tests. 26158: cli: fix `cockroach quit` r=knz a=knz Informs/fixes #25870. Fixes #26144. This patch fixes the following: - the logic in `doShutdown()` aims to ignore errors caused by attempts connect to a server which is closing its gRPC channels, but was missing one case of such errors: during the initial check whether the node was running. This patch causes gRPC "closed connection" errors to become also ignored in that case. - previously if there was a transient gRPC error during a hard shutdown whereby the shutdown could still succeed, then `cockroach quit` would fail no matter what. This patch makes `cockroach quit` retry a hard shutdown. - the warning messages are now emitted on stderr (via `log.Warningf`) instead of stdout. Release note (bug fix): fix a bug where `cockroach quit` would erroneously fail even though the node already successfully shut down. Release note (cli change): `cockroach quit` now emits warning message on its standard error stream, not standard output. 26165: roachtest: enable periodic heap prof output for kv/splits/nodes=3 r=tschottdorf a=petermattis See #26081 Release note: None 26167: encryption: add cli command `cockroach gen encryption-key` r=windchan7 a=windchan7 Added cli command `cockroach gen encryption-key` to generate store keys for encryption at rest. Encryption CLI: #19783. Release note: None Co-authored-by: Andrew Kimball <andyk@cockroachlabs.com> Co-authored-by: Raphael 'kena' Poss <knz@cockroachlabs.com> Co-authored-by: Peter Mattis <petermattis@gmail.com> Co-authored-by: Victor Chen <victor@cockroachlabs.com>
Build succeeded |
Added cli command
cockroach gen encryption-keyto generate store keys forencryption at rest.
Encryption CLI: #19783.
Release note: None