crypt icon indicating copy to clipboard operation
crypt copied to clipboard
verified publisher icon VirtusLab

Crypt does not support encrypting long secrets (more than ~500 bytes) with Azure KeyVault

Open myhau opened this issue 5 years ago • 2 comments

Problem

Crypt does not support encrypting long secrets (more than ~500 bytes) with Azure KeyVault

Details

We tried to encrypt whole directory with one file that contains a long secret (ssh private key) and this happened:

encrypt-all-key-vault-secrets.sh 39005e2e-c0e8-40c4-aa7e-17619494c2b8 euw-prod-138-location-gl
DEBU[2020-01-28T16:00:08+01:00] Debug logging enabled
INFO[2020-01-28T16:00:09+01:00] Directory mode selected: '/Users/michalfudala/aloa/scripts/secret-management/../../key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl' -> '/Users/michalfudala/aloa/scripts/secret-management/../../key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl'
DEBU[2020-01-28T16:00:09+01:00] Skipping '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/git-secrets.backup'
DEBU[2020-01-28T16:00:09+01:00] Skipping '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/key-name'
DEBU[2020-01-28T16:00:09+01:00] Skipping '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/key-version'
DEBU[2020-01-28T16:00:09+01:00] Processing '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/preprod-docker-credentials.secret'
INFO[2020-01-28T16:00:09+01:00] Target directory was created: '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl'
INFO[2020-01-28T16:00:10+01:00] Encryption succeeded                          key=git-secrets keyVaultURL="https://euw-prod-138-location-gl.vault.azure.net/" keyVersion=b7384be6d6b24efa86f264e43ae84052
DEBU[2020-01-28T16:00:10+01:00] Skipping '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/preprod-docker-credentials.secret.crypt'
DEBU[2020-01-28T16:00:10+01:00] Processing '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/preprod-git-private-key.secret'
INFO[2020-01-28T16:00:10+01:00] Target directory was created: '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl'
ERROR: keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="The parameter is incorrect.\r\n"
crypt/vendor/github.com/VirtusLab/crypt/azure.(*KeyVault).encrypt
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/azure/azure.go:91
crypt/vendor/github.com/VirtusLab/crypt/azure.(*KeyVault).Encrypt
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/azure/azure.go:77
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).Encrypt
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:181
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).EncryptFile
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:144
crypt/vendor/github.com/VirtusLab/crypt/crypto.transformFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:84
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).EncryptFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:115
main.encryptDirectory
	/Users/michalfudala/.gopath/src/crypt/main.go:369
main.action
	/Users/michalfudala/.gopath/src/crypt/main.go:338
main.encryptAction
	/Users/michalfudala/.gopath/src/crypt/main.go:361
main.encrypt.func1
	/Users/michalfudala/.gopath/src/crypt/main.go:207
crypt/vendor/github.com/urfave/cli.HandleAction
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:514
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:171
crypt/vendor/github.com/urfave/cli.(*App).RunAsSubcommand
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:395
crypt/vendor/github.com/urfave/cli.Command.startApp
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:383
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:103
crypt/vendor/github.com/urfave/cli.(*App).Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:265
main.main
	/Users/michalfudala/.gopath/src/crypt/main.go:101
runtime.main
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/proc.go:203
runtime.goexit
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/asm_amd64.s:1357
encrypting failed, file '/Users/michalfudala/aloa/key-vault/39005e2e-c0e8-40c4-aa7e-17619494c2b8/euw-prod-138-location-gl/preprod-git-private-key.secret'
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).EncryptFile
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:146
crypt/vendor/github.com/VirtusLab/crypt/crypto.transformFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:84
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).EncryptFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:115
main.encryptDirectory
	/Users/michalfudala/.gopath/src/crypt/main.go:369
main.action
	/Users/michalfudala/.gopath/src/crypt/main.go:338
main.encryptAction
	/Users/michalfudala/.gopath/src/crypt/main.go:361
main.encrypt.func1
	/Users/michalfudala/.gopath/src/crypt/main.go:207
crypt/vendor/github.com/urfave/cli.HandleAction
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:514
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:171
crypt/vendor/github.com/urfave/cli.(*App).RunAsSubcommand
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:395
crypt/vendor/github.com/urfave/cli.Command.startApp
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:383
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:103
crypt/vendor/github.com/urfave/cli.(*App).Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:265
main.main
	/Users/michalfudala/.gopath/src/crypt/main.go:101
runtime.main
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/proc.go:203
runtime.goexit
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/asm_amd64.s:1357
can't encrypt/decrypt a file
crypt/vendor/github.com/VirtusLab/crypt/crypto.transformFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:86
crypt/vendor/github.com/VirtusLab/crypt/crypto.(*crypt).EncryptFiles
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/VirtusLab/crypt/crypto/crypt.go:115
main.encryptDirectory
	/Users/michalfudala/.gopath/src/crypt/main.go:369
main.action
	/Users/michalfudala/.gopath/src/crypt/main.go:338
main.encryptAction
	/Users/michalfudala/.gopath/src/crypt/main.go:361
main.encrypt.func1
	/Users/michalfudala/.gopath/src/crypt/main.go:207
crypt/vendor/github.com/urfave/cli.HandleAction
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:514
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:171
crypt/vendor/github.com/urfave/cli.(*App).RunAsSubcommand
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:395
crypt/vendor/github.com/urfave/cli.Command.startApp
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:383
crypt/vendor/github.com/urfave/cli.Command.Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/command.go:103
crypt/vendor/github.com/urfave/cli.(*App).Run
	/Users/michalfudala/.gopath/src/crypt/vendor/github.com/urfave/cli/app.go:265
main.main
	/Users/michalfudala/.gopath/src/crypt/main.go:101
runtime.main
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/proc.go:203
runtime.goexit
	/usr/local/Cellar/go/1.13.5/libexec/src/runtime/asm_amd64.s:1357
DEBU[2020-01-28T16:00:10+01:00] exiting with 1

Root cause

After investigation, it turns out that azure-sdk-for-go that crypt uses (and underlying key vault encrypt REST API only supports encrypting a single block of data, the size of which is dependent on the target key and the encryption algorithm.

Root cause reproducer:

  1. Create some KeyVault
  2. Execute
token=$(az account get-access-token --resource 'https://vault.azure.net' | jq .accessToken -r)
secret=$(python -c 'print("5" * 600)')

curl -X POST -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" https://{azure-key-vault-url}/keys/{key-name}/{key-version}/encrypt\?api-version\=7.0 -d "{\"alg\": \"RSA-OAEP-256\", \"value\": \"${secret}\"}"

myhau avatar Jan 30 '20 13:01 myhau

Thanks @myhau for raising this issue. It looks like when using RSA (RSAOAEP256 by default) the amount of data you can encrypt is dependent on the size of the key you are using:

((KeySize - 384) / 8) + 7

RSA Encryption, getting bad length

We'll have a look at potential solutions and keep you informed.

antoniaklja avatar Feb 03 '20 15:02 antoniaklja

I'm afraid encryption of large payloads it's not natively supported by Azure Key Vault, as asymmetric encryption is used for small payloads only. We have verified if either symmetric encryption or chunking is possible.

The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used.

encrypt - encrypt

antoniaklja avatar Feb 03 '20 15:02 antoniaklja