def init_crypto(options): """ Interactive target to initialize the database with a new crypto passphrase. """ print "Initializing crypto for an empty database." if crypto_util.has_encrypted_data(): raise BuildFailure("Database has existing encrypted contents; use the 'rekey' target instead.") passphrase = raw_input("Passphrase: ") print "The database will be initialized with the passphrase between the arrows: --->%s<---" % passphrase print "The MD5 of the passphrase you entered is: %s" % hashlib.md5(passphrase).hexdigest() confirm = raw_input("Type 'YES' to confirm passphrase and MD5 are correct: ") if confirm != 'YES': raise ValueError("You must enter 'YES' to proceed.") salt = get_random_bytes(16) key = crypto_util.derive_key(passphrase=passphrase, salt=salt) crypto_util.initialize_key_metadata(key=key, salt=salt, force_overwrite=False) print "Database key metadata has been initialized. Your application is ready for use." if config.get('debug'): print "The new key is: %s%s" % (binascii.hexlify(key.encryption_key), binascii.hexlify(key.signing_key)) print "*************************************************************" print "IMPORTANT" print "Make sure your database master passphrase is stored somewhere" print "outside of Ensconce." print "" print "There is no recovery mechanism for this passphrase (or for " print "your database, should you lose it.)" print "*************************************************************"
def _set_key(self, encryption_key, signing_key): """ Sets a key on the ephemeral store; this method also takes care of setting up the key metadata (otherwise loading mismatched key will fail). """ state.secret_key = None key = MasterKey(encryption_key=encryption_key, signing_key=signing_key) crypto_util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True) state.secret_key = key
def test_validate_key(self): """ Ensure successful key validation . """ # Unset the global crypto engine state first. state.secret_key = None # Create a new key ekey = hashlib.sha256('encrypt').digest() skey = hashlib.sha256('sign').digest() key = MasterKey(encryption_key=ekey, signing_key=skey) # Now set new metadata util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True) # And then validate it. self.assertTrue(util.validate_key(key=key))
def test_initialize(self): """ Test initiazation of key metadata. """ ekey = hashlib.sha256('encrypt').digest() skey = hashlib.sha256('sign').digest() new_key = MasterKey(encryption_key=ekey, signing_key=skey) with self.assertRaises(exc.CryptoAlreadyInitialized): util.initialize_key_metadata(key=new_key, salt=os.urandom(8)) # Uninitailzie engine state.secret_key = None with self.assertRaises(exc.ExistingKeyMetadata): util.initialize_key_metadata(key=new_key, salt=os.urandom(8)) util.initialize_key_metadata(key=new_key, salt=os.urandom(8), force_overwrite=True) self.assertTrue(util.validate_key(new_key))
def tearDown(self): # Remove key_metadata rows so that they can be re-initialized. super(EphemeralStateTest, self).tearDown() crypto_util.initialize_key_metadata(key=self.SECRET_KEY, salt=os.urandom(8), force_overwrite=True)
def tearDown(self): # Replace the key_metadata rows in cases test cases have changed this. super(KeyValidationTest, self).tearDown() util.initialize_key_metadata(key=self.SECRET_KEY, salt=os.urandom(8), force_overwrite=True)