chamber secure --resecure no longer works
Closed this issue ยท 15 comments
Current Behavior
chamber secure --resecure is described on this page of the docs, linked from this page on re-securing. It seems like a helpful feature for my use case - rotating the keys used to encrypt the config. There are two main use cases for this: security policy mandates rotating keys, and a leak of the key.
Steps to Reproduce
- Run
chamber secure --resecureon the command line - Receive
ERROR: "chamber secure" was called with arguments ["--resecure"]
The option appears not to exist in the task description file, which would explain why it doesn't work.
Screenshot
Expected Behavior
Chamber should give you the option to recreate the keys. The docs aren't actually clear on what should happen, actually. At the very least, the docs should be updated to match the gem's functionality.
Environment
- Device: 2021 MacBook Pro
- OS: macOS
- OS Version: Monterey
- Running Ruby via asdf
- Other commands with Chamber CLI works
I've tried a workaround by:
- Renaming all keys
- Regenerating keys using
chamber init - Running
chamber secureusing the optional decrypt/encrypt key flags to decrypt with old key and encrypt using new key:chamber secure --decryption-keys=/Users/ed/dev/app/.chamber_old.pem --encryption-keys=/Users/ed/dev/app/.chamber.pub.pem
However, this doesn't work. Please could you advise how to handle rotating the keys?
In case it helps, it's a Rails app with Chamber config in config/settings.yml. chamber secure has always worked fine without having to add extra flags etc.
It sounds like this will be useful with the Heroku breach potentially requiring re-securing of all keys. It seems like this feature hasn't actually been implemented yet so perhaps we can reconsider the best approach?
I'm wondering if chamber resecure would be preferable to chamber secure --resecure. Or, perhaps, a chamber unsecure command which simply decrypts all existing keys. This might be preferable because it's simpler, would be required as part of a "resecure" command, and would decrypt with the existing keys so no additional flags would be required. Then the user can update/swap the keys as required and run chamber secure as normal.
Unless there's other feedback on a direction, I might take a stab at building unsecure this week since I think this is a blocker for our team
@ideasasylum chamber unsecure is an excellent idea. We can then compose that command (manually or via Thor) with secure.
One thing that would be handy though, is moving the keys around. I found when I was attempting earlier than renaming all the key files (up to four when you have public key, encrypted private key, password file, and unencrypted private key), and then creating the new keys a little complex.
Would love it if you have time to take a stab. I'm happy to input and review.
To follow up: I did take a stab at this and I think I have something working but I can't get the test suite to pass locally, even on master. Perhaps I'm missing a key or something @jfelchner?
These are the failing specs for me:
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:14 # Chamber::Adapters::Cloud::CircleCi can retrieve environment variables
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:53 # Chamber::Adapters::Cloud::CircleCi can properly display errors
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:23 # Chamber::Adapters::Cloud::CircleCi can add environment variables
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:38 # Chamber::Adapters::Cloud::CircleCi knows to convert newlines to literal \n strings
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:67 # Chamber::Adapters::Cloud::CircleCi can remove environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:45 # Chamber::Adapters::Cloud::Heroku can properly display errors
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:33 # Chamber::Adapters::Cloud::Heroku knows to convert newlines to literal \n strings
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:21 # Chamber::Adapters::Cloud::Heroku can add environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:56 # Chamber::Adapters::Cloud::Heroku can remove environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:14 # Chamber::Adapters::Cloud::Heroku can retrieve environment variables
all with errors like
10) Chamber::Adapters::Cloud::Heroku can retrieve environment variables
Failure/Error:
fail Chamber::Errors::DecryptionFailure,
"Failed to decrypt #{key} (with an encrypted value of '#{value}') " \
"in your settings."
Chamber::Errors::DecryptionFailure:
Failed to decrypt _secure_api_key (with an encrypted value of 'JL5hAVux4TERpv49QPWxy9H0VC2Rnk7V8/e8+1XOwPcXcoH/a7Lh253UY/v9m8nI/Onb+ZG9nZ082J4M/BmLa+f7jwMEwufIqbUhUah9eKIW8xcxlppBYpl7JVGf2HJF5TfCN44gMQNgGNzboCQXKqRyeGFm4u772Sg9V2gEx/q7qJ6F4jg7v/cltCFLmJfXA2SHA5Dai4p9L4IvMVVJGm34k5j7KOegNqpVWs2RY99cagjPuzc9VM2XSUsXgqcUJdmH8YtPW8Kqkyg0oYlRh6VQWABlWXwTZz74QjTTjqtqfoELIoFTMBDh+cCvuUTAE5m06LhlqauVrB4UnBsd5g==') in your settings.
# ./lib/chamber/filters/failed_decryption_filter.rb:34:in `block in execute'
# ./lib/chamber/filters/failed_decryption_filter.rb:27:in `each_pair'
# ./lib/chamber/filters/failed_decryption_filter.rb:27:in `execute'
# ./lib/chamber/filters/failed_decryption_filter.rb:29:in `block in execute'
# ./lib/chamber/filters/failed_decryption_filter.rb:27:in `each_pair'
# ./lib/chamber/filters/failed_decryption_filter.rb:27:in `execute'
# ./lib/chamber/filters/failed_decryption_filter.rb:11:in `execute'
# ./lib/chamber/settings.rb:313:in `block in data'
# ./lib/chamber/settings.rb:312:in `each'
# ./lib/chamber/settings.rb:312:in `inject'
# ./lib/chamber/settings.rb:312:in `data'
# ./lib/chamber/settings.rb:279:in `method_missing'
# ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:15:in `block (2 levels) in <module:Cloud>'
Do you have a PR/branch @ideasasylum? I could take a look. Did you add/change Heroku functionality? Because I actually couldn't get those commands to work either when I originally tried to sort all of this last month (see issue #76)
@UsAndRufus I've added a draft PR you can take a look at. It's working for me but it's hacky (I've no idea what I'm doing with the Settings filters) and I haven't added any tests.
Hey all! This has been on my list for quite a while but I think I'll actually get finished with it this year at some point. Give me a couple more months and we'll see where we are. I would suggest making sure you're upgraded to the latest Chamber 2.x version which will give you deprecations since this feature will only be implemented on the 3.x branch.
The primary change has been to consolidate all lookups to a single public method rather than having to do massive amounts of metaprogramming (and relying on hashie) to do the plethora of lookups that Chamber 2.x did.
@ideasasylum I agree that as a "go small" simply adding a command to decrypt all values may be good enough since you can just re-run chamber secure.
Also just in case you all weren't aware, chamber will allow you to setup a different key per namespace. Therefore you can have a separate keypair for staging/production. If one is compromised, you don't have to reset all keys everywhere (and you don't have to give every developer in your org the chamber key for production, but the encrypted values can still be checked into your repository.
Let me know if you need any help on v3 or early testers. Looking forward to getting rid of Hashie from our app!
Also just in case you all weren't aware, chamber will allow you to setup a different key per namespace.
This is actually what I'm doing now to restrict the blast radius the next time this happens
@UsAndRufus @ideasasylum I have time blocked out in December for this. I haven't forgotten about this or #79
@ideasasylum I'm updating wikis and finalizing everything for a 3.0 final release in the next day or two. I will release 3.0 with all the deprecations removed and then almost immediately release a 3.1 with your "unsecure" command.
Thank you all for the patience. I'm only one person and don't have a ton of time to work on this stuff throughout the year.
I've removed resecure from the wiki and added a stub for unsecure for now. I'll close this in favor of #79
Thanks everyone!
3.1 has been released with unsecure! ๐