def rekey(options): """ Interactive target to change the passphrase for the database. """ info("This is an EXTREMELY DANGEROUS activity.") info("Backup your database first.") curr_passphrase = raw_input("Current passphrase: ") crypto_util.configure_crypto_state(curr_passphrase) new_passphrase = raw_input("New passphrase: ") confirm = raw_input("MD5 of passphrase is %s (type \"YES\" to confirm): " % hashlib.md5(new_passphrase).hexdigest()) if confirm != 'YES': raise ValueError("You must enter 'YES' to proceed.") if crypto_util.has_encrypted_data(): confirm = raw_input("There is existing encrypted data in the database. Type 'REKEY' to proceed with re-encryption: ") if confirm != 'REKEY': raise ValueError("You must enter 'REKEY' to proceed.") # Use the same salt as previous key new_key = crypto_util.derive_configured_key(new_passphrase) crypto_util.replace_key(new_key=new_key, force=True) info("Re-encryption completed successfully.") if config.get('debug'): print "The new key is: %s%s" % (binascii.hexlify(new_key.encryption_key), binascii.hexlify(new_key.signing_key))
def test_replace_key(self): """ Test replacing the key (and re-encrypting the database). """ self.assertTrue(util.has_encrypted_data()) # Create a new key ekey = hashlib.sha256('new-encrypt').digest() skey = hashlib.sha256('new-sign').digest() new_key = MasterKey(encryption_key=ekey, signing_key=skey) with self.assertRaises(exc.DatabaseAlreadyEncrypted): util.replace_key(new_key) # Check existing passwords for an arbitrary user for (i,pw) in enumerate(self.data.resources['host1.example.com'].passwords.order_by('username')): self.assertEquals('password{0}'.format(i), pw.password_decrypted) util.replace_key(new_key, force=True) # The replace_key functions updates the global state, so this should work: for (i,pw) in enumerate(self.data.resources['host1.example.com'].passwords.order_by('username')): self.assertEquals('password{0}'.format(i), pw.password_decrypted) # But using the old key should, of course, now fail: for (i,pw) in enumerate(self.data.resources['host1.example.com'].passwords.order_by('username')): with self.assertRaises(exc.CryptoAuthenticationFailed): engine.decrypt(pw.password, key=self.SECRET_KEY)