Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Encrypt plan artifacts at rest #1634

Open
ZIJ opened this issue Jul 24, 2024 · 1 comment
Open

[RFC] Encrypt plan artifacts at rest #1634

ZIJ opened this issue Jul 24, 2024 · 1 comment

Comments

@ZIJ
Copy link
Contributor

ZIJ commented Jul 24, 2024

Currently plan files persisted in workplace artifacts in GitHub are not encrypted (see #817). This is a security concern because plan artifacts contain a snapshot of state, which can contain sensitive data like private keys.

Proposed solution: encrypt plan artifacts at rest

  • Store encryption key as DIGGER_PLAN_ARTIFACT_ENCRYPTION_KEY secret in Github Secrets
  • When plan artifacts are uploaded in plan_storage.go, encrypt the contents of the file with AES-256, smth like this: gpg --cipher-algo AES256 --symmetric filename.tar.gz. Using zip password is not a good idea because it uses a weak cipher.

Open questions

  • Do we need to rotate the encryption key? Github Secrets don't seem to have any method for that. We might want to instead integrate with a secret manager like Vault or Infisical.
  • Is there a "standard" way to encrypt workplace artifacts in GitHub? My initial search didn't yield any, but encryption of build artifacts in Actions at rest is hardly a niche problem, so there probably is a somewhat-standard solution

Other solutions considered

Remove state representation from the plan artifact

Suggested by one of the users; unfortunately it doesn't look feasible because a snapshot of existing state is an integral part of the plan. The purpose of the plan artifact is to capture the state at the time of plan artifact creation, plus the diff on top. This way if the state has moved on since the plan artifact was created and now contains changes that are not compatible with the plan artifact, Terraform is able to compare actual state with the plan time state. See state representation in the Terraform internals docs.

Relevant existing issues
@ZIJ ZIJ changed the title [WIP] [RFC] Encrypt plan artifacts at rest [RFC] Encrypt plan artifacts at rest Jul 24, 2024
@motatoes
Copy link
Contributor

motatoes commented Jul 25, 2024
edited
Loading

Thanks for this RFC, encryption of the state file is indeed much needed. Regarding tooling I've heard a lot of folk use sops to manage secrets in gitops:

SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

https://github.com/getsops/sops

I'm not sure if they expose some kinds of library which we can wrap around though, it seems to be built to be used cli tool in a client flow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ZIJ @motatoes