From 61d5dfce2f13debff5e7cba661d7a2336c92aed6 Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Sat, 9 Aug 2025 13:57:47 +0000
Subject: [PATCH] DEK alignment dev-staging

---
 canary_seed.sh     | 30 ++++++++++++++++++++++++++++++
 dek-dev-staging.sh | 17 +++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 canary_seed.sh
 create mode 100644 dek-dev-staging.sh

diff --git a/canary_seed.sh b/canary_seed.sh
new file mode 100644
index 0000000..389dd5c
--- /dev/null
+++ b/canary_seed.sh
@@ -0,0 +1,30 @@
+docker compose run --rm --no-deps server1 node --input-type=module - <<'NODE'
+import mysql from 'mysql2/promise';
+import { readFile } from 'fs/promises';
+import { randomBytes, createCipheriv } from 'crypto';
+import { KeyManagementServiceClient } from '@google-cloud/kms';
+
+const kms = new KeyManagementServiceClient();
+const wrapped = await readFile(process.env.DEK_PATH);
+const [resp]  = await kms.decrypt({ name: process.env.KMS_KEY_NAME, ciphertext: wrapped });
+const dek = resp.plaintext;
+
+const iv  = randomBytes(12);
+const c   = createCipheriv('aes-256-gcm', dek, iv);
+const pt  = 'aptiva-canary-v1';
+const ct  = Buffer.concat([c.update(pt, 'utf8'), c.final()]);
+const tag = c.getAuthTag();
+const gcm = 'gcm:' + Buffer.concat([iv, tag, ct]).toString('base64');
+
+const pool = await mysql.createPool({
+  host: process.env.DB_HOST, port: Number(process.env.DB_PORT),
+  user: process.env.DB_USER, password: process.env.DB_PASSWORD,
+  database: process.env.DB_NAME,
+  ssl: { ca: process.env.DB_SSL_CA, cert: process.env.DB_SSL_CERT, key: process.env.DB_SSL_KEY,
+         minVersion: 'TLSv1.2', rejectUnauthorized: false }
+});
+await pool.query('CREATE TABLE IF NOT EXISTS encryption_canary (id TINYINT PRIMARY KEY, value TEXT NOT NULL)');
+await pool.query('INSERT INTO encryption_canary (id, value) VALUES (1, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [gcm]);
+await pool.end();
+console.log('✅ canary reseeded');
+NODE
diff --git a/dek-dev-staging.sh b/dek-dev-staging.sh
new file mode 100644
index 0000000..3316624
--- /dev/null
+++ b/dek-dev-staging.sh
@@ -0,0 +1,17 @@
+# On dev VM
+docker run --rm -v aptiva_dek_dev:/run/secrets busybox \
+  sh -lc 'cat /run/secrets/dev/dek.enc' > /tmp/dek.enc
+docker run --rm -v aptiva_dek_dev:/run/secrets busybox \
+  sh -lc 'cat /run/secrets/dev/dek.fpr' > /tmp/dek.fpr
+scp /tmp/dek.enc /tmp/dek.fpr jcoakley@aptiva-staging:~/
+
+# On staging VM
+docker run --rm -v aptiva_dek_staging:/run/secrets -v "$HOME":/host busybox sh -lc '
+  mkdir -p /run/secrets/staging &&
+  cp /host/dek.enc /run/secrets/staging/dek.enc &&
+  cp /host/dek.fpr /run/secrets/staging/dek.fpr &&
+  chown 1000:1000 /run/secrets/staging/dek.* &&
+  chmod 600 /run/secrets/staging/dek.enc &&
+  chmod 444 /run/secrets/staging/dek.fpr &&
+  ls -la /run/secrets/staging
+'