feat: envelope encryption for CA keys, migration script, CI updates, KR README#2
feat: envelope encryption for CA keys, migration script, CI updates, KR README#2concertypin wants to merge 1 commit into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements a security feature to store CA private keys encrypted with AES-GCM, which are then decrypted in-memory during CRL generation. The changes include a new cryptographic utility module, a migration script for existing keys, and updated documentation in both English and Korean. Review feedback identifies a potential import path issue in the migration script and suggests optimizing the script by avoiding redundant backup file creation when encryption is not performed in-place.
| import sys | ||
| from pathlib import Path | ||
|
|
||
| from crypto_utils import encrypt_bytes, decrypt_bytes, get_kek_from_env, MAGIC |
There was a problem hiding this comment.
The script will fail to import crypto_utils when executed from the repository root (as suggested in the README) because the src/ directory is not in the Python search path. Adding the src/ directory to sys.path ensures the utility module can be found regardless of the current working directory.
# Add src directory to sys.path to allow importing crypto_utils
sys.path.append(str(Path(__file__).parent.parent / "src"))
from crypto_utils import encrypt_bytes, decrypt_bytes, get_kek_from_env, MAGIC| else: | ||
| target = Path(str(p) + ".enc") | ||
| backup = Path(str(p) + ".bak") | ||
| if not backup.exists(): | ||
| shutil.copy2(p, backup) | ||
| print(f"Backup created: {backup}") | ||
| if target.exists(): | ||
| print(f"Encrypted target already exists, skipping: {target}") | ||
| continue | ||
| if not dry_run: | ||
| target.write_bytes(enc_bytes) | ||
| print(f"Wrote encrypted file: {target}") |
There was a problem hiding this comment.
When --inplace is not used, the script creates a backup of the original file (.bak) even though the original file is not being modified (a new .enc file is created instead). This results in unnecessary file duplication since the original file remains untouched.
| else: | |
| target = Path(str(p) + ".enc") | |
| backup = Path(str(p) + ".bak") | |
| if not backup.exists(): | |
| shutil.copy2(p, backup) | |
| print(f"Backup created: {backup}") | |
| if target.exists(): | |
| print(f"Encrypted target already exists, skipping: {target}") | |
| continue | |
| if not dry_run: | |
| target.write_bytes(enc_bytes) | |
| print(f"Wrote encrypted file: {target}") | |
| else: | |
| target = Path(str(p) + ".enc") | |
| if target.exists(): | |
| print(f"Encrypted target already exists, skipping: {target}") | |
| continue | |
| if not dry_run: | |
| target.write_bytes(enc_bytes) | |
| print(f"Wrote encrypted file: {target}") |
1 participant
Implements envelope encryption for CA private keys and adds migration and CI safety checks.
Summary of changes:
src/crypto_utils.py(AES-GCM envelope formatENCv1).src/gencrl.pyusingCA_KEK.scripts/migrate_encrypt.py(creates.enc+.bakby default)..github/workflows/generate.ymlto injectCA_KEKand warn on plaintext private keys.README.mdwith KEK guidance and addREADME.ko.md(Korean translation).Usage notes:
CA_KEK(base64-encoded 32 bytes recommended).export CA_KEK=<base64>thenpython scripts/migrate_encrypt.py --path data/example.Please review and merge when ready.