Fix: add root encryption key in the examples env

.env.example

@@ -1,7 +1,11 @@
 # Keys
 # Required key for platform encryption/decryption ops
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
-ENCRYPTION_KEY=VVHnGZ0w98WLgISK4XSJcagezuG6EWRFTk48KE4Y5Mw=
+ENCRYPTION_KEY=f13dbc92aaaf86fa7cb0ed8ac3265f47
+
+# Used for compatibility with the FIPS image
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA=
 
 # JWT
 # Required secrets to sign JWT tokens

backend/src/lib/crypto/cryptography/crypto.ts

@@ -17,7 +17,6 @@ import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";
 
-import { isBase64 } from "../../base64";
 import { getConfig, TEnvConfig } from "../../config/env";
 import { CryptographyError } from "../../errors";
 import { logger } from "../../logger";
@@ -114,7 +113,7 @@ const cryptographyFactory = () => {
     enabled: boolean,
     hsmService: THsmServiceFactory,
     kmsRootConfigDAL: TKmsRootConfigDALFactory,
-    envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">
+    envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY" | "ROOT_ENCRYPTION_KEY">
   ) => {
     // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
     if (enabled) {
@@ -135,18 +134,20 @@ const cryptographyFactory = () => {
 
       // only perform encryption key validation if it's actually required.
       if (needsEncryptionKey) {
-        if (appCfg.ENCRYPTION_KEY) {
+        const encryptionKey = appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY;
+
+        if (encryptionKey) {
           // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
 
           // note(daniel): for some reason this resolves as true for some hex-encoded strings.
-          if (!isBase64(appCfg.ENCRYPTION_KEY)) {
+          if (!encryptionKey) {
             throw new CryptographyError({
               message:
                 "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"
             });
           }
 
-          if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) {
+          if (bytesToBits(Buffer.from(encryptionKey, "base64").length) !== 256) {
             throw new CryptographyError({
               message:
                 "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"

backend/src/services/kms/kms-service.ts

@@ -828,9 +828,9 @@ export const kmsServiceFactory = ({
   };
 
   const $getBasicEncryptionKey = () => {
-    const encryptionKey = envConfig.ENCRYPTION_KEY || envConfig.ROOT_ENCRYPTION_KEY;
+    const encryptionKey = envConfig.ROOT_ENCRYPTION_KEY || envConfig.ENCRYPTION_KEY;
 
-    const isBase64 = !envConfig.ENCRYPTION_KEY;
+    const isBase64 = envConfig.ROOT_ENCRYPTION_KEY;
     if (!encryptionKey)
       throw new Error(
         "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"