Do not generate an ephemeral encryption key in production.#81511
Do not generate an ephemeral encryption key in production.#81511azasypkin merged 3 commits intoelastic:masterfrom
Conversation
1867d85 to
48c4da0
Compare
045755d to
6fb6495
Compare
6fb6495 to
28a6846
Compare
| "ui": true, | ||
| "configPath": ["xpack", "fleet"], | ||
| "requiredPlugins": ["licensing", "data"], | ||
| "requiredPlugins": ["licensing", "data", "encryptedSavedObjects"], |
There was a problem hiding this comment.
note: for 7.12 we decided to not disable plugin automatically and since you still depend SO migrations it makes sense to keep this as a required dependency for now. Let me know if you have any concerns.
There was a problem hiding this comment.
Make sense 👍 and we will fix our SO migration
|
Pinging @elastic/kibana-security (Team:Security) |
|
Pinging @elastic/fleet (Team:Fleet) |
YulNaumenko
left a comment
There was a problem hiding this comment.
Alerting changes LGTM
chrisronline
left a comment
There was a problem hiding this comment.
LGTM for Stack Monitoring!
| } | ||
|
|
||
| export interface EncryptedSavedObjectsPluginSetup { | ||
| canEncrypt: boolean; |
There was a problem hiding this comment.
optional It's probably a good idea to start documenting our public interface
| canEncrypt: boolean; | |
| /** Indicates if Saved Object encryption is possible. Requires an encryption key to be explicitly set via `xpack.encryptedSavedObjects.encryptionKey`. */ | |
| canEncrypt: boolean; |
There was a problem hiding this comment.
Definitely agree, thanks!
| } | ||
| `); | ||
|
|
||
| expect(ConfigSchema.validate({ encryptionKey: 'z'.repeat(32) }, { dist: true })) |
There was a problem hiding this comment.
I know that this is probably "testing the library", but would you mind adding a test to ensure that encryptionKey cannot be null when dist: true? Plugin code checks that the key isn't undefined, but if schema.maybe() ever allowed null, then we would incorrectly assume that an encryption key was set.
There was a problem hiding this comment.
Good idea, will add, thanks
FrankHassanabad
left a comment
There was a problem hiding this comment.
Looked it over for security_solutions, this looks 👍 , lgtm
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
|
7.x/7.12.0: fc4beaf |
* master: (99 commits) [Fleet] Use Fleet Server indices in the search bar (elastic#90835) [Search Sessions] added an info flyout to session management (elastic#90559) [ILM] Revisit searchable snapshot field after new redesign (elastic#90793) [Alerting] License Errors on Alert List View (elastic#89920) RFC Improve saved object migrations algorithm (elastic#84333) [Lens] (Accessibility) Fix focus on drag and drop actions (elastic#90561) Use new shortcut links to Fleet discuss forums. (elastic#90786) Do not generate an ephemeral encryption key in production. (elastic#81511) [Fleet] Use staging registry for snapshot builds (elastic#90327) Actually deleting x-pack/tsconfig.refs.json (elastic#90898) Add deprecation warning to all Beats CM pages. (elastic#90741) skip flaky suite (elastic#90136) Revert "Revert "[Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244)"" (elastic#90889) remove ref to removed tsconfig file [core.logging] Uses host timezone as default (elastic#90368) [Maps] remove maps_file_upload plugin and fold public folder into file_upload plugin (elastic#90292) Revert "[Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244)" [dev-utils/ci-stats] support disabling ship errors (elastic#90851) Prefix with / (elastic#90836) [Metrics UI] Add Metrics Anomaly Alert Type (elastic#89244) ...
Currently we generate a random encryption key if it's not specified by default when Kibana is run in production setup (
dist === true). After this PR we won't be automatically generating a random key in production in case it's not explicitly specified. We're also exposingcanEncryptproperty in thesetupcontract to help consumers figure out if ESO is able to perform encryption\decryption or not (instead ofusingEphemeralEncryptionKey).Note to reviewers: we initially planned to disable ESO plugin if encryption key isn't specified, but we later figured out that it can introduce non-trivial issues with Saved Objects migrations, so we decided not to do that for now.
Fixes: #79943
Release note
Previously Kibana was mistakenly allowed to perform a number of operations (e.g. migrations) with Saved Objects (alerts, actions etc.) using the ephemeral encryption key that's automatically generated when
xpack.encryptedSavedObjects.encryptionKeyisn't specified. This could potentially lead to a data-loss since ephemeral key is lost after restart. It's no longer the case with this fix.