Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request - Ability to handle encrypted key/values #4545

Closed
nmaludy opened this issue Feb 12, 2019 · 1 comment · Fixed by #4547
Closed

Feature Request - Ability to handle encrypted key/values #4545

nmaludy opened this issue Feb 12, 2019 · 1 comment · Fixed by #4547
Assignees
@Kami
Labels
API CLI feature proposal
Milestone
3.0.0

Comments

@nmaludy
Copy link
Member

nmaludy commented Feb 12, 2019

SUMMARY

Currently, when setting Key/Value pairs with st2 key set or st2 key load (and equivalent API calls) the data must be in a decrypted state. This means that if data is stored in an encrypted state we must decrypt it, then send it to the st2 CLI/API which then encrypts it again. Having this decrypt process fall on the responsibility of the end user requires them to implement this decrypt functionality.

Our use case here is that we have a keys.yaml file that contains all of our datastore key/values that contains encrypted values. This is exactly like grabbing a dump of st2 key list. When we provision a new instance of StackStorm or do a release we load this keys file in via st2 key load. Right now we have to decrypt all of the encrypted data, then pass that decrypted file in to st2 key load. We have to implement this decrypt code on our side and would like to allow StackStorm to handle this crypto work.

I propose allowing st2 key set and st2 key load (or equivalent API calls) to accept already encrypted values. The st2client or st2api would handle the decryption/encryption functions instead of the end user.

ISSUE TYPE
  • Feature Idea
PROPOSAL - st2client

We could implement this on the st2client side for st2 key set by passing a --decrypt flag:

$ st2 key set -e --decrypt test.mysecretvalue ABCD123

On the st2 key load side we would add a new decrypt: true attribute for keys that need their values decrypted.

- name: test.mysecretvalue
  value; ABCD123
  secret: true
  decrypt: true
PROPOSAL - st2api

We could handle the decryption within st2client if we like and pass the data to the API like we do today.

Or we could pass along this decrypt parameter to the API and allow st2api to decrypt and re-encrypt the data (or potentially pass through).

PUT/api/v1/keys/test.mysecretvalue

{
  "name": "test.mysecretvalue",
  "value": "ABCD123",
  "secret": true,
  "decrypt": true
}
@nmaludy
Copy link
Member Author

nmaludy commented Feb 12, 2019

@Kami @armab I'm very willing to implement this feature. Would love feedback on what direction you would like me to go.

@nmaludy nmaludy mentioned this issue Feb 13, 2019
Merged
1 task
@Kami Kami added this to the 3.0.0 milestone Feb 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kami Kami

Labels
API CLI feature proposal
Projects
None yet
Milestone
3.0.0
Development

Successfully merging a pull request may close this issue.

Added ability to pass in encrypted key/values into the CLI and API nmaludy/st2
3 participants
@Kami @arm4b @nmaludy