mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-04 11:51:02 +01:00
67084a6953
Summary: Ref T11140. This makes encryption actually work: - Provide a new configuation option, `keyring`, for specifying encryption keys. - One key may be marked as `default`. This activates AES256 encryption for Files. - Add `bin/files generate-key`. This is helps when generating valid encryption keys. - Add `bin/files encode`. This changes the storage encoding of a file, and helps test encodings and migrate existing data. - Add `bin/files cycle`. This re-encodes the block key with a new master key, if your master key leaks or you're just paraonid. - Document all these options and behaviors. Test Plan: - Configured a bad `keyring`, hit a bunch of different errors. - Used `bin/files generate-key` to try to generate bad keys, got appropriate errors ("raw doesn't support keys", etc). - Used `bin/files generate-key` to generate an AES256 key. - Put the new AES256 key into the `keyring`, without `default`. - Uploaded a new file, verified it still uploaded as raw data (no `default` key yet). - Used `bin/files encode` to change a file to ROT13 and back to raw. Verified old data got deleted and new data got stored properly. - Used `bin/files encode --key ...` to explicitly convert a file to AES256 with my non-default key. - Forced a re-encode of an AES256 file, verified the old data was deleted and a new key and IV were generated. - Used `bin/files cycle` to try to cycle raw/rot13 files, got errors. - Used `bin/files cycle` to cycle AES256 files. Verified metadata changed but file data did not. Verified file data was still decryptable with metadata. - Ran `bin/files cycle --all`. - Ran `encode` and `cycle` on chunked files, saw commands fail properly. These commands operate on the underlying data blocks, not the chunk metadata. - Set key to `default`, uploaded a file, saw it stored as AES256. - Read documentation. Reviewers: chad Reviewed By: chad Maniphest Tasks: T11140 Differential Revision: https://secure.phabricator.com/D16127 |
||
---|---|---|
.. | ||
book | ||
contributor | ||
flavor | ||
tech | ||
user |