31 lines
1.4 KiB
Bash
31 lines
1.4 KiB
Bash
docker compose run --rm --no-deps server1 node --input-type=module - <<'NODE'
|
|
import mysql from 'mysql2/promise';
|
|
import { readFile } from 'fs/promises';
|
|
import { randomBytes, createCipheriv } from 'crypto';
|
|
import { KeyManagementServiceClient } from '@google-cloud/kms';
|
|
|
|
const kms = new KeyManagementServiceClient();
|
|
const wrapped = await readFile(process.env.DEK_PATH);
|
|
const [resp] = await kms.decrypt({ name: process.env.KMS_KEY_NAME, ciphertext: wrapped });
|
|
const dek = resp.plaintext;
|
|
|
|
const iv = randomBytes(12);
|
|
const c = createCipheriv('aes-256-gcm', dek, iv);
|
|
const pt = 'aptiva-canary-v1';
|
|
const ct = Buffer.concat([c.update(pt, 'utf8'), c.final()]);
|
|
const tag = c.getAuthTag();
|
|
const gcm = 'gcm:' + Buffer.concat([iv, tag, ct]).toString('base64');
|
|
|
|
const pool = await mysql.createPool({
|
|
host: process.env.DB_HOST, port: Number(process.env.DB_PORT),
|
|
user: process.env.DB_USER, password: process.env.DB_PASSWORD,
|
|
database: process.env.DB_NAME,
|
|
ssl: { ca: process.env.DB_SSL_CA, cert: process.env.DB_SSL_CERT, key: process.env.DB_SSL_KEY,
|
|
minVersion: 'TLSv1.2', rejectUnauthorized: false }
|
|
});
|
|
await pool.query('CREATE TABLE IF NOT EXISTS encryption_canary (id TINYINT PRIMARY KEY, value TEXT NOT NULL)');
|
|
await pool.query('INSERT INTO encryption_canary (id, value) VALUES (1, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [gcm]);
|
|
await pool.end();
|
|
console.log('✅ canary reseeded');
|
|
NODE
|