def init_crypto(options):
"""
Interactive target to initialize the database with a new crypto passphrase.
"""
print "Initializing crypto for an empty database."
if crypto_util.has_encrypted_data():
raise BuildFailure("Database has existing encrypted contents; use the 'rekey' target instead.")
passphrase = raw_input("Passphrase: ")
print "The database will be initialized with the passphrase between the arrows: --->%s<---" % passphrase
print "The MD5 of the passphrase you entered is: %s" % hashlib.md5(passphrase).hexdigest()
confirm = raw_input("Type 'YES' to confirm passphrase and MD5 are correct: ")
if confirm != 'YES':
raise ValueError("You must enter 'YES' to proceed.")
salt = get_random_bytes(16)
key = crypto_util.derive_key(passphrase=passphrase, salt=salt)
crypto_util.initialize_key_metadata(key=key, salt=salt, force_overwrite=False)
print "Database key metadata has been initialized. Your application is ready for use."
if config.get('debug'):
print "The new key is: %s%s" % (binascii.hexlify(key.encryption_key), binascii.hexlify(key.signing_key))
print "*************************************************************"
print "IMPORTANT"
print "Make sure your database master passphrase is stored somewhere"
print "outside of Ensconce."
print ""
print "There is no recovery mechanism for this passphrase (or for "
print "your database, should you lose it.)"
print "*************************************************************"
def _set_key(self, encryption_key, signing_key):
"""
Sets a key on the ephemeral store; this method also takes care of
setting up the key metadata (otherwise loading mismatched key will fail).
"""
state.secret_key = None
key = MasterKey(encryption_key=encryption_key, signing_key=signing_key)
crypto_util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True)
state.secret_key = key
def test_validate_key(self):
""" Ensure successful key validation . """
# Unset the global crypto engine state first.
state.secret_key = None
# Create a new key
ekey = hashlib.sha256('encrypt').digest()
skey = hashlib.sha256('sign').digest()
key = MasterKey(encryption_key=ekey, signing_key=skey)
# Now set new metadata
util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True)
# And then validate it.
self.assertTrue(util.validate_key(key=key))
def test_initialize(self):
""" Test initiazation of key metadata. """
ekey = hashlib.sha256('encrypt').digest()
skey = hashlib.sha256('sign').digest()
new_key = MasterKey(encryption_key=ekey, signing_key=skey)
with self.assertRaises(exc.CryptoAlreadyInitialized):
util.initialize_key_metadata(key=new_key, salt=os.urandom(8))
# Uninitailzie engine
state.secret_key = None
with self.assertRaises(exc.ExistingKeyMetadata):
util.initialize_key_metadata(key=new_key, salt=os.urandom(8))
util.initialize_key_metadata(key=new_key, salt=os.urandom(8), force_overwrite=True)
self.assertTrue(util.validate_key(new_key))
def tearDown(self):
# Remove key_metadata rows so that they can be re-initialized.
super(EphemeralStateTest, self).tearDown()
crypto_util.initialize_key_metadata(key=self.SECRET_KEY, salt=os.urandom(8), force_overwrite=True)
def tearDown(self):
# Replace the key_metadata rows in cases test cases have changed this.
super(KeyValidationTest, self).tearDown()
util.initialize_key_metadata(key=self.SECRET_KEY, salt=os.urandom(8), force_overwrite=True)
