jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DEK alignment dev-staging

Browse Source
This commit is contained in:
Josh 2025-08-09 13:57:47 +00:00
parent b6e0c76de7
commit 61d5dfce2f
2 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
canary_seed.sh Normal file
View File

@ -0,0 +1,30 @@
docker compose run --rm --no-deps server1 node --input-type=module - <<'NODE'
import mysql from 'mysql2/promise';
import { readFile } from 'fs/promises';
import { randomBytes, createCipheriv } from 'crypto';
import { KeyManagementServiceClient } from '@google-cloud/kms';
const kms = new KeyManagementServiceClient();
const wrapped = await readFile(process.env.DEK_PATH);
const [resp] = await kms.decrypt({ name: process.env.KMS_KEY_NAME, ciphertext: wrapped });
const dek = resp.plaintext;
const iv = randomBytes(12);
const c = createCipheriv('aes-256-gcm', dek, iv);
const pt = 'aptiva-canary-v1';
const ct = Buffer.concat([c.update(pt, 'utf8'), c.final()]);
const tag = c.getAuthTag();
const gcm = 'gcm:' + Buffer.concat([iv, tag, ct]).toString('base64');
const pool = await mysql.createPool({
host: process.env.DB_HOST, port: Number(process.env.DB_PORT),
user: process.env.DB_USER, password: process.env.DB_PASSWORD,
database: process.env.DB_NAME,
ssl: { ca: process.env.DB_SSL_CA, cert: process.env.DB_SSL_CERT, key: process.env.DB_SSL_KEY,
minVersion: 'TLSv1.2', rejectUnauthorized: false }
});
await pool.query('CREATE TABLE IF NOT EXISTS encryption_canary (id TINYINT PRIMARY KEY, value TEXT NOT NULL)');
await pool.query('INSERT INTO encryption_canary (id, value) VALUES (1, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [gcm]);
await pool.end();
console.log('✅ canary reseeded');
NODE

17
dek-dev-staging.sh Normal file
View File

@ -0,0 +1,17 @@
# On dev VM
docker run --rm -v aptiva_dek_dev:/run/secrets busybox \
sh -lc 'cat /run/secrets/dev/dek.enc' > /tmp/dek.enc
docker run --rm -v aptiva_dek_dev:/run/secrets busybox \
sh -lc 'cat /run/secrets/dev/dek.fpr' > /tmp/dek.fpr
scp /tmp/dek.enc /tmp/dek.fpr jcoakley@aptiva-staging:~/
# On staging VM
docker run --rm -v aptiva_dek_staging:/run/secrets -v "$HOME":/host busybox sh -lc '
mkdir -p /run/secrets/staging &&
cp /host/dek.enc /run/secrets/staging/dek.enc &&
cp /host/dek.fpr /run/secrets/staging/dek.fpr &&
chown 1000:1000 /run/secrets/staging/dek.* &&
chmod 600 /run/secrets/staging/dek.enc &&
chmod 444 /run/secrets/staging/dek.fpr &&
ls -la /run/secrets/staging
'