remove end-user algorithm selection (#13190)

After internal design review, we decided to remove exposing algorithm choice to the end-user for the initial release. We'll solve nonce rotation by forcing rotations automatically on key GC (in a core job, not included in this changeset). Default to AES-256 GCM for the following criteria: * faster implementation when hardware acceleration is available * FIPS compliant * implementation in pure go * post-quantum resistance Also fixed a bug in the decoding from keystore and switched to a harder-to-misuse encoding method.
2026-01-06 18:35:44 +03:00 · 2022-06-02 13:41:59 -04:00
parent 73804237ed
commit b69d1bffa8
12 changed files with 42 additions and 90 deletions
--- a/command/agent/keyring_endpoint.go
+++ b/command/agent/keyring_endpoint.go
@@ -68,8 +68,6 @@ func (s *HTTPServer) keyringRotateRequest(resp http.ResponseWriter, req *http.Re
 	switch query.Get("algo") {
 	case string(structs.EncryptionAlgorithmAES256GCM):
 		args.Algorithm = structs.EncryptionAlgorithmAES256GCM
-	case string(structs.EncryptionAlgorithmXChaCha20):
-		args.Algorithm = structs.EncryptionAlgorithmXChaCha20
 	}

 	if _, ok := query["full"]; ok {
@@ -106,10 +104,9 @@ func (s *HTTPServer) keyringUpsertRequest(resp http.ResponseWriter, req *http.Re
 		RootKey: &structs.RootKey{
 			Key: decodedKey,
 			Meta: &structs.RootKeyMeta{
-				Active:           key.Meta.Active,
-				KeyID:            key.Meta.KeyID,
-				Algorithm:        structs.EncryptionAlgorithm(key.Meta.Algorithm),
-				EncryptionsCount: key.Meta.EncryptionsCount,
+				Active:    key.Meta.Active,
+				KeyID:     key.Meta.KeyID,
+				Algorithm: structs.EncryptionAlgorithm(key.Meta.Algorithm),
 			},
 		},
 	}
--- a/command/agent/keyring_endpoint_test.go
+++ b/command/agent/keyring_endpoint_test.go
@@ -55,19 +55,17 @@ func TestHTTP_Keyring_CRUD(t *testing.T) {
 		keyMeta := rotateResp.Key
 		keyBuf := make([]byte, 32)
 		rand.Read(keyBuf)
-		encodedKey := make([]byte, base64.StdEncoding.EncodedLen(32))
-		base64.StdEncoding.Encode(encodedKey, keyBuf)
+		encodedKey := base64.StdEncoding.EncodeToString(keyBuf)

 		newID2 := uuid.Generate()

 		key := &api.RootKey{
 			Meta: &api.RootKeyMeta{
-				Active:           true,
-				KeyID:            newID2,
-				Algorithm:        api.EncryptionAlgorithm(keyMeta.Algorithm),
-				EncryptionsCount: 500,
+				Active:    true,
+				KeyID:     newID2,
+				Algorithm: api.EncryptionAlgorithm(keyMeta.Algorithm),
 			},
-			Key: string(encodedKey),
+			Key: encodedKey,
 		}
 		reqBuf := encodeReq(key)