Encrypting raft logs

[hichamuntitled]

I am trying to decrypt docker swarm raft logs, edit them and finally encrypt them.

I found out that I can decrypt raft logs using swarm-rafttool decrypt, now I am wondering how to encrypt them back.

Any ideas?

[cyli]

@hichamuntitled We do not provide a tool to encrypt them back - swarm-rafttool decrypt is more of a debugging tool so you can see raft history or downgrade. We do not want to encourage editing raft logs manually - however, you can probably write a tool to get the DEK from the TLS key based on the code in https://github.com/docker/swarmkit/blob/master/cmd/swarm-rafttool/dump.go#L32-L39, create an EncryptedRaftLogger, and write the modified entries and snapshots to a new location.

[hichamuntitled]

@cyli The idea behind this is that I want to be able to restore all swarm managers in new VMs, so different IPs than the ones stored in raft logs.

[cyli]

@hichamuntitled Would something like https://github.com/docker/swarmkit/pull/2199 fix your issue instead?

[cyli]

@hichamuntitled Also, I'm dumb. Before raft encryption was added, the raft logs were stored in wal-v3 and snap-v3 directories. After encryption was added, they were stored in wal-v3-encrypted and snap-v3-encrypted. Possibly, if you wanted them re-encrypted, you could just move the decrypted directories to wal-v3 and snap-v3, and restart swarm - I believe it should be able to read the older format for logs and migrate them to the new, encrypted format.