def _bootstrap(self, secrets):
"""
Decrypt secrets and return a dict of secrets. Uses KMS to decrypt.
"""
if not secrets:
logging.info('SECRETS_BOOTSTRAP not set, skipping bootstrapping.')
return {}
if secrets.startswith('file://'):
try:
with open(secrets[7:], 'r') as f:
_secrets = json.load(f)
except IOError:
logging.error(
'Failed to load file specified in SECRETS_BOOTSTRAP.'
)
return {}
else:
_secrets = json.loads(secrets)
key = cryptolib.decrypt_datakey(
base64.b64decode(_secrets['data_key']),
{'type': 'bootstrap'}
)
f = Fernet(key)
decrypted_secrets = yaml.safe_load(
f.decrypt(_secrets['secrets'].encode('utf-8'))
)
logging.info('Loaded SECRETS_BOOTSTRAP.')
return decrypted_secrets
def _bootstrap(secrets):
"""
Decrypt secrets and return a dict of secrets.
"""
if not secrets:
logging.info('SECRETS_BOOTSTRAP not set, skipping bootstrapping.')
return {}
if secrets.startswith('file://'):
try:
with open(secrets[7:], 'r') as f:
_secrets = json.load(f)
except IOError:
logging.error(
'Failed to load file specified in SECRETS_BOOTSTRAP.'
)
return {}
else:
_secrets = json.loads(secrets)
key = cryptolib.decrypt_datakey(
base64.b64decode(_secrets['data_key']),
{'type': 'bootstrap'}
)
f = Fernet(key)
decrypted_secrets = yaml.safe_load(
f.decrypt(_secrets['secrets'].encode('utf-8'))
)
logging.info('Loaded SECRETS_BOOTSTRAP.')
return decrypted_secrets
def decrypt_datakey(data_key, encryption_context=None):
'''
Decrypt a datakey.
'''
# Disabled encryption is dangerous, so we don't use falsiness here.
if app.config['USE_ENCRYPTION'] is False:
logging.warning('Decypting a mock data key in'
' keymanager.decrypt_datakey. If you are not running'
' in a development or test environment, this should'
' not be happening!')
return cryptolib.decrypt_mock_datakey(data_key)
sha = hashlib.sha256(data_key).hexdigest()
if sha not in DATAKEYS:
stats.incr('at_rest_action')
plaintext = cryptolib.decrypt_datakey(data_key, encryption_context)
DATAKEYS[sha] = plaintext
return DATAKEYS[sha]
def decrypt_datakey(data_key, encryption_context=None):
'''
Decrypt a datakey.
'''
# Disabled encryption is dangerous, so we don't use falsiness here.
if app.config['USE_ENCRYPTION'] is False:
logging.warning('Decypting a mock data key in'
' keymanager.decrypt_datakey. If you are not running'
' in a development or test environment, this should'
' not be happening!')
return cryptolib.decrypt_mock_datakey(data_key)
sha = hashlib.sha256(data_key).hexdigest()
if sha not in DATAKEYS:
stats.incr('at_rest_action')
plaintext = cryptolib.decrypt_datakey(data_key, encryption_context)
DATAKEYS[sha] = plaintext
return DATAKEYS[sha]
def decrypt_datakey(data_key, encryption_context=None):
'''
Decrypt a datakey.
'''
at_rest_kms_client = _get_at_rest_kms_client()
# Disabled encryption is dangerous, so we don't use falsiness here.
if settings.USE_ENCRYPTION is False:
logger.warning(
'Decrypting a mock data key in keymanager.decrypt_datakey. If you'
' are not running in a development or test environment, this should'
' not be happening!')
return cryptolib.decrypt_mock_datakey(data_key)
sha = hashlib.sha256(data_key).hexdigest()
if sha not in _DATAKEYS:
stats.incr('at_rest_action')
plaintext = cryptolib.decrypt_datakey(data_key,
encryption_context,
client=at_rest_kms_client)
_DATAKEYS[sha] = plaintext
return _DATAKEYS[sha]