diff --git a/.env.example b/.env.example index f67488c23e7..d9d560fa8e8 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,11 @@ # Keys # Required key for platform encryption/decryption ops # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION -ENCRYPTION_KEY=VVHnGZ0w98WLgISK4XSJcagezuG6EWRFTk48KE4Y5Mw= +ENCRYPTION_KEY=f13dbc92aaaf86fa7cb0ed8ac3265f47 + +# Used for compatibility with the FIPS image +# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION +ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA= # JWT # Required secrets to sign JWT tokens diff --git a/backend/src/lib/crypto/cryptography/crypto.ts b/backend/src/lib/crypto/cryptography/crypto.ts index 6e2a1574075..9456b45549d 100644 --- a/backend/src/lib/crypto/cryptography/crypto.ts +++ b/backend/src/lib/crypto/cryptography/crypto.ts @@ -17,7 +17,6 @@ import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types"; import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal"; import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service"; -import { isBase64 } from "../../base64"; import { getConfig, TEnvConfig } from "../../config/env"; import { CryptographyError } from "../../errors"; import { logger } from "../../logger"; @@ -114,7 +113,7 @@ const cryptographyFactory = () => { enabled: boolean, hsmService: THsmServiceFactory, kmsRootConfigDAL: TKmsRootConfigDALFactory, - envCfg?: Pick + envCfg?: Pick ) => { // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key. if (enabled) { @@ -135,18 +134,20 @@ const cryptographyFactory = () => { // only perform encryption key validation if it's actually required. if (needsEncryptionKey) { - if (appCfg.ENCRYPTION_KEY) { + const encryptionKey = appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY; + + if (encryptionKey) { // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key // note(daniel): for some reason this resolves as true for some hex-encoded strings. - if (!isBase64(appCfg.ENCRYPTION_KEY)) { + if (!encryptionKey) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" }); } - if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) { + if (bytesToBits(Buffer.from(encryptionKey, "base64").length) !== 256) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" diff --git a/backend/src/services/kms/kms-service.ts b/backend/src/services/kms/kms-service.ts index 8f868978dae..8ef071dd800 100644 --- a/backend/src/services/kms/kms-service.ts +++ b/backend/src/services/kms/kms-service.ts @@ -828,9 +828,9 @@ export const kmsServiceFactory = ({ }; const $getBasicEncryptionKey = () => { - const encryptionKey = envConfig.ENCRYPTION_KEY || envConfig.ROOT_ENCRYPTION_KEY; + const encryptionKey = envConfig.ROOT_ENCRYPTION_KEY || envConfig.ENCRYPTION_KEY; - const isBase64 = !envConfig.ENCRYPTION_KEY; + const isBase64 = envConfig.ROOT_ENCRYPTION_KEY; if (!encryptionKey) throw new Error( "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"