Fix: add root encryption key in the examples env

[victorvhs017]

Description 📣

Fix this issue #4900

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

• Check if the docker-compose-dev useing fips image works
• Check if the docker-compose-prod not using fips also works

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR attempts to fix docker-compose deployment issues with FIPS-enabled images by adding ROOT_ENCRYPTION_KEY to the example environment file and prioritizing it over ENCRYPTION_KEY. While the intent is correct, a critical bug was introduced in crypto.ts that breaks base64 validation for encryption keys.

Changes:

• Added ROOT_ENCRYPTION_KEY to .env.example with proper base64-encoded value
• Updated kms-service.ts to prioritize ROOT_ENCRYPTION_KEY over ENCRYPTION_KEY (fixes the "Invalid key length" error)
• Modified crypto.ts to support both encryption key variables in FIPS mode

Critical Issue:

• The base64 validation logic in crypto.ts line 143 was broken during refactoring - it now checks if (!encryptionKey) immediately after confirming encryptionKey exists, meaning the check always fails and base64 validation is completely skipped

Confidence Score: 1/5

• This PR introduces a critical validation bypass that could allow invalid encryption keys in FIPS mode
• While the PR correctly addresses the priority issue between ROOT_ENCRYPTION_KEY and ENCRYPTION_KEY, it introduces a severe logic error in the validation code that completely removes base64 format checking for encryption keys in FIPS mode. This could lead to runtime failures or security vulnerabilities if non-base64 keys are accepted when they shouldn't be.
• Pay close attention to backend/src/lib/crypto/cryptography/crypto.ts - the validation logic on line 143 must be fixed before merging

Important Files Changed

File Analysis

Filename	Score	Overview
backend/src/lib/crypto/cryptography/crypto.ts	1/5	Critical logic error on line 143: base64 validation removed, replaced with check that always evaluates false
backend/src/services/kms/kms-service.ts	5/5	Correctly prioritizes ROOT_ENCRYPTION_KEY over ENCRYPTION_KEY to fix FIPS compatibility issue
.env.example	5/5	Adds ROOT_ENCRYPTION_KEY example value to fix docker-compose setup for FIPS images

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: this check will always evaluate to false since encryptionKey was already verified to be truthy in line 139. This means the validation is skipped entirely.

Suggested change

	if (!encryptionKey) {
	if (!Buffer.from(encryptionKey, "base64")) {

[varonix0]

All changes can be removed, except for the .env.example file, left a comment to explain

[varonix0]

FIPS doesn't use the ROOT_ENCRYPTION_KEY variable. It still uses the ENCRYPTION_KEY variable, internally transforms it to ROOT_ENCRYPTION_KEY.

Suggested change

	# Used for compatibility with the FIPS image
	# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
	ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA=
	# Used for compatibility with the FIPS image. When using FIPS, a base64-encoded 32-bit key is required.
	# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
	ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA=

[varonix0]

Can be removed, since we are using ENCRYPTION_KEY

[varonix0]

Same as above

[varonix0]

Same comment as above applies for all other changes except the .env.example file