Fix and reenable Secrets-Encryption

[6543]

... By default, Woodpecker does not encrypt secrets in its database. You can enable encryption using simple AES key or more advanced Google TINK encryption...

but right now we just get an error on start

rev #1475 cc @antomy-gc

[smainz]

Looks like atm I am not able to start the server for development (master branch):

I added

###
WOODPECKER_ENCRYPTION_KEY=a-key
WOODPECKER_ENCRYPTION_DISABLE=true

to the .env file and in the logs I get:

{"time":"2023-01-15T17:35:41+01:00","message":"LogLevel = info"}
{"level":"warn","time":"2023-01-15T17:35:41+01:00","message":"no sqlite3 file found, will create one at 'woodpecker.sqlite'"}
{"level":"fatal","error":"failed initializing encryption service: failed initializing encryption clients: failed initializing encryption clients: attempt to init encrypted storage more than once","time":"2023-01-15T17:35:41+01:00","message":"could not create encryption service"}

Starting the server with

###
WOODPECKER_ENCRYPTION_KEY=123456789012345678901234567890123456789012

works for the first time:

{"time":"2023-01-15T17:43:36+01:00","message":"LogLevel = info"}
{"level":"warn","time":"2023-01-15T17:43:36+01:00","message":"no sqlite3 file found, will create one at 'woodpecker.sqlite'"}
{"level":"info","time":"2023-01-15T17:43:36+01:00","message":"initialized encryption on registered clients"}
{"level":"warn","time":"2023-01-15T17:43:36+01:00","message":"Encrypting all secrets in database"}
{"level":"warn","time":"2023-01-15T17:43:36+01:00","message":"All secrets are encrypted"}
{"level":"info","time":"2023-01-15T17:43:36+01:00","message":"enabled encryption on registered services"}
{"level":"info","time":"2023-01-15T17:43:36+01:00","message":"registered new encryption key"}
{"level":"warn","time":"2023-01-15T17:43:36+01:00","message":"encryption enabled"}
{"level":"info","time":"2023-01-15T17:43:36+01:00","message":"Starting Woodpecker server with version 'dev'"}

restarting it gives me:

{"level":"info","time":"2023-01-15T17:44:05+01:00","message":"initialized encryption on registered clients"}
{"level":"fatal","error":"failed initializing encryption service: failed validating encryption key: encryption key is invalid","time":"2023-01-15T17:44:05+01:00","message":"could not create encryption service"}

an I have to delete the sqlite DB

Can anyone please post a hint on how to configure AES encryption or disable it?

[6543]

https://github.com/woodpecker-ci/woodpecker/pull/1549 will make next work again ...

[smainz]

Thanks!

[securitym0nkey]

Maybe it would be a good idea to have the documentation state that encryption is currently not supported. Took me a while to find this issue and realize it.

[wollud1969]

Has the encryption of secret in between been fixed? I'm using the container image tagged with v2.0.0-rc.0-alpine and it appears to me, that it is still not working. At least, a secret I've added is stored in plain text in the database.

[qwerty287]

No, this is still broken. See #2300 for progress

[xoxys]

Can someone summarize the current state? https://github.com/woodpecker-ci/woodpecker/pull/2300 is closed now and https://github.com/woodpecker-ci/woodpecker/pull/2300 got closed as well.

\cc @woodpecker-ci/maintainers @zc-devs

[zc-devs]

If you mean whether I'm working on it or have a plan to do so, then no and no. Nothing new from me.

I guess, sum would be like: nobody is actively working on encryption support, contributions are always welcome.

---

Perhaps, other sensitive data could be encrypted also, for example registries passwords:

woodpecker=# select * from registries;
 id | repo_id |       address        | username | password | org_id
----+---------+----------------------+----------+----------+--------
  2 |       0 | https://mytest.local | u        | u        |      0
(1 row)