Backup and restore encryption key

2024-11-07 08:44:07 +01:00 · 2023-10-06 15:41:29 +02:00 · 2023-10-06 15:41:29 +02:00 · 56d82a99e1
commit 56d82a99e1
parent d25f543913
4 changed files with 55 additions and 8 deletions
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@ -301,15 +301,23 @@ var (
 func initEventStore(dataDir string, key string) (activity.Store, string, error) {
 	var err error
 	if key == "" {
-		log.Debugf("generate new activity store encryption key")
-		key, err = sqlite.GenerateKey()
+		log.Debugf("restore or generate new activity store encryption key")
+		key, err = sqlite.RestoreKey(dataDir)
+		if err == nil {
+			goto CreateStore
+		} else {
+			log.Debugf("failed to restore encryption key for activity store: %s", err)
+		}
+
+		log.Infof("generate new encryption key for activity store")
+		key, err = sqlite.GenerateKey(dataDir)
 		if err != nil {
 			return nil, "", err
 		}
 	}
+CreateStore:
 	store, err := sqlite.NewSQLiteStore(dataDir, key)
 	return store, key, err
-
 }

 func notifyStop(msg string) {
--- a/management/server/activity/sqlite/crypt.go
+++ b/management/server/activity/sqlite/crypt.go
@ -7,6 +7,12 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
+	"os"
+	"path/filepath"
+)
+
+const (
+	backupFile = ".datastore.key"
 )

 var iv = []byte{10, 22, 13, 79, 05, 8, 52, 91, 87, 98, 88, 98, 35, 25, 13, 05}
@ -15,16 +21,40 @@ type FieldEncrypt struct {
 	block cipher.Block
 }

-func GenerateKey() (string, error) {
+func RestoreKey(dataDir string) (string, error) {
+	fName := filepath.Join(dataDir, backupFile)
+	data, err := os.ReadFile(fName)
+	return string(data), err
+}
+
+func GenerateKey(dataDir string) (string, error) {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	if err != nil {
 		return "", err
 	}
 	readableKey := base64.StdEncoding.EncodeToString(key)
+
+	err = saveKey(dataDir, readableKey)
+	if err != nil {
+		return "", err
+	}
 	return readableKey, nil
 }

+func saveKey(dataDir, key string) error {
+	f, err := os.Create(filepath.Join(dataDir, backupFile))
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = f.WriteString(key)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func NewFieldEncrypt(key string) (*FieldEncrypt, error) {
 	binKey, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
--- a/management/server/activity/sqlite/crypt_test.go
+++ b/management/server/activity/sqlite/crypt_test.go
@ -2,11 +2,20 @@ package sqlite

 import (
 	"testing"
+
+	log "github.com/sirupsen/logrus"
 )

+func TestRestoreKey(t *testing.T) {
+	_, err := RestoreKey(t.TempDir())
+	if err != nil {
+		log.Infof("err: %s", err)
+	}
+}
+
 func TestGenerateKey(t *testing.T) {
 	testData := "exampl@netbird.io"
-	key, err := GenerateKey()
+	key, err := GenerateKey(t.TempDir())
 	if err != nil {
 		t.Fatalf("failed to generate key: %s", err)
 	}
@ -32,7 +41,7 @@ func TestGenerateKey(t *testing.T) {

 func TestCorruptKey(t *testing.T) {
 	testData := "exampl@netbird.io"
-	key, err := GenerateKey()
+	key, err := GenerateKey(t.TempDir())
 	if err != nil {
 		t.Fatalf("failed to generate key: %s", err)
 	}
@ -46,7 +55,7 @@ func TestCorruptKey(t *testing.T) {
 		t.Fatalf("invalid encrypted text")
 	}

-	newKey, err := GenerateKey()
+	newKey, err := GenerateKey(t.TempDir())
 	if err != nil {
 		t.Fatalf("failed to generate key: %s", err)
 	}
--- a/management/server/activity/sqlite/sqlite_test.go
+++ b/management/server/activity/sqlite/sqlite_test.go
@ -12,7 +12,7 @@ import (

 func TestNewSQLiteStore(t *testing.T) {
 	dataDir := t.TempDir()
-	key, _ := GenerateKey()
+	key, _ := GenerateKey(dataDir)
 	store, err := NewSQLiteStore(dataDir, key)
 	if err != nil {
 		t.Fatal(err)