Enhance encryption security

[BenWilson2]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19253/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19253/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/19253/merge

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Changes a few things that I noticed while red-teaming the implementation:

1. Force the KEK version to be part of the salt. This ensures that if an admin reuses a passphrase in N >=2 rotations, the KEK will be unique even in this case, protecting against an attack vector of a leaked passphrase that wasn't graveyarded.
2. Convert the test-verification nonce arg to be private with a clear warnings about how dangerous it is to not use a random nonce. We DO need this argument in order to test the encryption / decryption stack, but it does NOT need to be public.
3. Add NB comments wherever someone might change the secret name in the backend. It is CRITICAL that this name never be made mutable (as it would break decryption). I felt that it was important to protect against foot-gunning in the future.

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[BenWilson2]

@TomeHirata @B-Step62 I was running through some attack scenarios this evening and I managed to find a few ways that security could be degraded / this feature could break if someone didn't read up on these algorithms.
I think it's pretty important to make these changes to harden the security implementation.

[Copilot]

Pull request overview

This PR enhances the security of MLflow's encryption implementation through three key defensive measures identified during red-team testing:

• Forces KEK version into the PBKDF2 salt to ensure unique KEKs even if an admin accidentally reuses a passphrase across rotations, protecting against leaked passphrase attack vectors
• Converts the test-verification nonce parameter to private (_nonce) with keyword-only access and prominent warnings to prevent dangerous misuse in production code while preserving testability
• Adds comprehensive NB (nota bene) comments documenting the critical immutability requirements of secret_id and secret_name fields used in AAD (Additional Authenticated Data) for AES-GCM encryption

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
mlflow/utils/crypto.py	Implements versioned salt by appending KEK version as 4 big-endian bytes; refactors encrypt_with_aes_gcm to private _encrypt_with_aes_gcm with _nonce as keyword-only parameter; adds detailed security documentation
tests/utils/test_crypto.py	Adds test verifying same passphrase with different versions produces different KEKs; updates all function calls to use _encrypt_with_aes_gcm with keyword argument _nonce
mlflow/store/tracking/dbmodels/models.py	Documents immutability constraints for secret_id and secret_name database columns with cross-references to AAD implementation
mlflow/entities/gateway_secrets.py	Documents immutability requirements for secret_id and secret_name entity fields with explanation of AAD binding

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Documentation preview for bc10b82 is available at:

• https://pr-19253--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[serena-ruan]

Why do we use _nonce instead of nonce? This is already a private function

[BenWilson2]

Even though it's end user private, this interface is callable internally by developers. I wanted to make this particularly field extra clear to devs that this is somewhat dangerous to provide a value for outside of testing (as it degrades the security of encryption to a large degree if a static value is passed in). It's intentionally meant to look abnormal.

[serena-ruan]

Is this testing only?

[BenWilson2]

I'll change the argument name here to make it even more clear :)

[serena-ruan]

I think this docstring makes no difference, we need to update code to make it really immutable

[BenWilson2]

The DB API layer already enforces immutability. But, what it doesn't do is actually block updates to this field via a DB trigger that enforces this. In order to prevent any future manipulation, I'll add that constraint.
Thanks for the perspective!

[serena-ruan]

Could we run this test file in database job

mlflow/.github/workflows/master.yml

Lines 132 to 135 in 312edd5

	./tests/db/compose.sh run --rm --no-TTY $service pytest \
	tests/store/tracking/test_sqlalchemy_store.py \
	tests/store/model_registry/test_sqlalchemy_store.py \
	tests/db

?

[BenWilson2]

Great idea!! Updated CI config :D

[serena-ruan]

This means last_updated_at can't be updated as well, if it's never modified then it's fine

[BenWilson2]

Yep - totally fine, we return a new instance when the API is called, but on the update route for a key, the DB merges the record and updates the last_update_time.

[TomeHirata]

nit: do we still need this validation if this argument is test only?

[BenWilson2]

Thanks for the catch! This is totally not needed :)

[serena-ruan]

LGTM! Do we need to add v3.8.0 label?