Support AES encryption of the seda_keys.json file #468
Conversation
|
Not leaving direct code comments yet since it's still a draft, but chatting about the ideas: We should log a warning if the key is not set, probably at an initial check for it. So at least this way there's some visible warning. It should say hey this warning is okay to ignore if this is not a prod environment. Or at least something along those lines is standard. Is
Lastly, I think we are fine as far as I could tell looking at the code. But, since this PR's goal is to add in security, we should make sure the env var contents/private keys themselves are never in memory for too long. Or preferably if we have them in memory at all, i.e. more than just as an instant use(although maybe even then), we should use them as byte slices rather than a readable format. It's hard to pick out some bytes among many :). If we do miss it somewhere I imagine this is something a security review would hopefully pick up. |
Thomasvdam
force-pushed
the
feat/aes-encrypt-seda-keys
branch
2 times, most recently
from
fed7886 to
ab4da1b
Compare
Thomasvdam
force-pushed
the
feat/aes-encrypt-seda-keys
branch
2 times, most recently
from
c8c010f to
c18c0ea
Compare
Thomasvdam
force-pushed
the
feat/aes-encrypt-seda-keys
branch
from
c18c0ea to
89117a2
Compare
The original implementation was generating old MsgCreateValidator, which our staking module no longer supports. We're now overriding the method that returns all the possible operations for the staking module and simply replace the MsgCreateValidator with our MsgCreateSEDAValidator.
Thomasvdam
force-pushed
the
feat/aes-encrypt-seda-keys
branch
from
4aee165 to
56ecb8e
Compare
Motivation
As our current implementation requires the keys to be present on the application layer for validator nodes we want to at least enable validator operators to encrypt the
seda_keys.jsonfile using AES.Explanation of Changes
I tried to give the operator various options when generating the SEDA keys file:
--key-file-custom-encryption-keythat instead of generating a random key allows the operator to paste/type a custom key through a password prompt. It asks it twice and compares the 2 entries to make errors slightly less likely.SEDA_KEYS_ENCRYPTION_KEYenvironment variable and the--key-file-custom-encryption-keyflag are set the CLI errors.The node now checks whether the
SEDA_KEYS_ENCRYPTION_KEYenvironment variable is set when starting up and if it's missing the node panics. This behaviour can be overridden by passing the--allow-unencrypted-seda-keysflag to the$BIN startcommand.I also updated the CLI commands to allow overwriting the SEDA keys file with a flag, and if the flag is not set it will prompt the user for confirmation if it's ok to overwrite instead of errroring directly.
Came across
$BIN query wait-txwhile researching the flags and figured it would be useful for our contract deployment script.Testing
Added unit tests for the key file generation and loading.
Changed pubkey CLI add-seda-keys tx unit test to always use
--key-file-no-encryptionas I wasn't sure how to test commands that require user input.Updated scripts to use
--key-file-no-encryptionin the gentx and create-validator transactions.Manually tested the
tx pubkey add-seda-keyscommand with a custom encryption key, a manually generated encryption key, and an encryption key from the environment variables.Tested the contract deployment script by running it manually on a local chain.
Related PRs and Issues
Closes: #368