search

balena-labs-research / secure-store

Secure Store is like a YubiKey for your network, providing encryption and remote decryption of files/folders and environment variables for entire IoT fleets.
MIT License
5 stars 0 forks source link

RClone Config Encrypted file - How to encrypt and what are the base contents in the project file? #2

Open u93 opened 1 year ago

u93 commented 1 year ago

Hi @maggie0002 ,

After trying the project I noticed that the encrypted RClone configuration file has no instructions about how to configure it neither of what are the contents of the file previous to the encryption.

Is it possible to get some info on that?

Thanks

maggie44 commented 1 year ago

Hi,

I'm not sure I entirely understand the question, but you could generate an RClone configuration file to look inside using RClone itself: https://rclone.org/commands/rclone_config/. Once you create a remote it will show you a config file. By default without any encryption or configuration, it could be as simple as:

[local]
type = local

In terms of configuration, it is configured automatically and isn't intended to be edited manually as it contains keys.

u93 commented 1 year ago

Sorry for the lack of better context,

I mean this file: https://github.com/balena-labs-research/secure-store/blob/main/keys/encrypt.conf

That I'm not sure what it does or how it got itself encrypted

maggie44 commented 1 year ago

It is generated in this step from the readme:

Encrypt your files using a secure password. My example password is my-password-eQ4al9jgPxlWDwxL6uiGdznhhVJzaVQPnkNRjwvwoTvqWpeBJJJZ and is included below, replace it with your own.

docker run \
--device /dev/fuse \
--cap-add SYS_ADMIN \
-v ${PWD}/source:/app/source \
-v ${PWD}/encrypted:/app/storage \
-v ${PWD}/keys:/app/keys \
ghcr.io/balena-labs-research/secure-store \
-encrypt-content ./source/. \
-config-path ./keys/encrypt.conf \
-password my-password-eQ4al9jgPxlWDwxL6uiGdznhhVJzaVQPnkNRjwvwoTvqWpeBJJJZ

The files generated in ./keys should be stored in your GitHub Secrets and written to your container on build rather than kept in your GitHub repo but for now we will continue by copying them in to the containers through the Dockerfiles to be more transparent on how it works.

-config-path ./keys/encrypt.conf

You should remove the default encrypt.conf, and then it will generate you a new one.

u93 commented 1 year ago

In that command by specifying -encrypt-content and -config-path if I delete the default it will create a new encrypt.conf and then use it to encrypt the contents of ./source in that order?

Sorry I'm not very familiar with Golang so it's a bit complex to me go over all the code without understanding first how the CLI works...

maggie44 commented 1 year ago

In that command by specifying -encrypt-content and -config-path if I delete the default it will create a new encrypt.conf and then use it to encrypt the contents of ./source in that order?

Yes.

If encrypt.conf exists, it will use that to encrypt the files. If encrypt.conf doesn't exist, it will generate a new key. The better option as you don't want to use the one published here in the public. Then it takes the contents of source/', encrypts it with encrypt.conf key, and produces the encrypted files inencrypted`.

These are good questions, I am going to try and push a change in a minute to make it clearer and to avoid accidentally using the encrypt.conf that is already there.

u93 commented 1 year ago

I think it's great to have a file created there already that works with the Balena application that can be deployed to test... In my case I just struggled understanding the steps and how flexible the process as later I need to adapt this into my own services

maggie44 commented 1 year ago

I was thinking something like this: https://github.com/balena-labs-research/secure-store/pull/3/files

The demo still works, but now when you run the docker command I mentioned above, you see a new encrypt.conf file generated rather than it using the one that already exists. I know it's still not going to be super easy to understand, but think that's a bit better?

u93 commented 1 year ago

It makes sense! If I could add a recommendation, for the commands to start the secure-store client it would be nice to mention that there is an option to force unmount force-unmount for when someone is testing

maggie44 commented 1 year ago

Did you run in to an instance where that was required? Where in the docs would it be helpful?

u93 commented 1 year ago

So when testing with my own password and just the project in general with small variations I made mistakes testing and I would get errors later like:

/app # /app/secure-store -decrypt -local $STORE_PASSWORD ./start.sh 
Attempting decrypt...
 Decrypting environment variable ENCRYPTED_TESTVAR
2023/02/01 16:16:16 mount helper error: fusermount: failed to access mountpoint /app/decrypted: Socket not connected
FATA[0000] failed to mount FUSE fs: fusermount: exit status 1

This would be fixed by doing the same command but like this:

/app/secure-store -decrypt -local $STORE_PASSWORD -force-unmount ./start.sh

But I got lucky that I found the command when checking the secure-store binary and gave it a try so it could be helpful I think to mention it.

maggie44 commented 1 year ago

I see what you mean.

You can run -help on the binary to see all the options:

./secure-store -help
Usage of ./secure-store:
  -base64
        Generate base64 outputs instead of files
  -certificate-path string
        Path for the MTLS certificate (default "./cert.pem")
  -config-path string
        Path for the config file (default "./encrypt.conf")
  -decrypt
        Start the mTLS client, look for a decryption key on the provided address and port and then attempt a decrypt
  -encrypt-content -password
        Encrypt the content of the provided path. This flag requires the -password flag
  -env-only
        Decrypt the encrypted environment variables, but do not create a mount
  -force-unmount
        Attempt a forced unmount of the mount path before mounting
  -generate-keys
        Generate the two mTLS keys and save them as files
  -hostname string
        Override the default hostname for the server and MTLS key configuration (default "localhost")
  -key-path string
        Path for the MTLS key (default "./key.pem")
  -local string
        Create an encrypted mount locally using the provided password
  -new-key
        Generate a random key for use in your Secure Store
  -password -string
        The password to encrypt the string passed via -string
  -path string
        Path for your decrypted content (default "./decrypted")
  -port string
        Override the default port for the client and server (default "8443")
  -server
        Start the mTLS server and listen for key requests
  -string -password
        String to be encrypted. This flag requires the -password flag

Not sure how best to incorporate it. Maybe a note for users to check -help? Or specifically for the force mount? Ideally I try not to copy and paste output commands of -help in to READMEs, in case they change and then forget to update the README.

You think you could raise a PR on wherever you think it would be most helpful to have had that info?

u93 commented 1 year ago

Sure, I'm working right now on the integration of these projects, I'll give it some thought on where I can incorporate it in the README. Initially I think just a note to check the -help option and that there could be helpful information for specific error messages similar to the one I placed above.

I'll give it a bit more thought...