starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:42:59 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

[PR #682] [MERGED] feat: Encrypt private keys saved on disk and in DB #678

New Issue
Closed
opened 2025-10-09 16:55:00 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-09 16:55:00 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/682
Author: @ItalyPaleAle
Created: 6/26/2025
Status: Merged
Merged: 7/3/2025
Merged by: @kmendell

Base: mainHead: encrypt-keys

📝 Commits (10+)

📊 Changes

25 files changed (+2310 additions, -327 deletions)

View changed files

📝 backend/internal/bootstrap/services_bootstrap.go (+1 -1)
📝 backend/internal/common/env_config.go (+68 -31)
backend/internal/common/env_config_test.go (+188 -0)
backend/internal/model/kv.go (+11 -0)
📝 backend/internal/service/app_config_service_test.go (+17 -15)
📝 backend/internal/service/e2etest_service.go (+3 -1)
📝 backend/internal/service/jwt_service.go (+52 -94)
📝 backend/internal/service/jwt_service_test.go (+166 -77)
📝 backend/internal/service/oidc_service_test.go (+8 -7)
backend/internal/utils/crypto/crypto.go (+69 -0)
backend/internal/utils/crypto/crypto_test.go (+208 -0)
backend/internal/utils/jwk/key_provider.go (+50 -0)
backend/internal/utils/jwk/key_provider_database.go (+109 -0)
backend/internal/utils/jwk/key_provider_database_test.go (+275 -0)
backend/internal/utils/jwk/key_provider_file.go (+202 -0)
backend/internal/utils/jwk/key_provider_file_test.go (+320 -0)
backend/internal/utils/jwk/utils.go (+180 -0)
backend/internal/utils/jwk/utils_test.go (+324 -0)
backend/internal/utils/jwk_util.go (+0 -69)
📝 backend/internal/utils/testing/database.go (+7 -32)

...and 5 more files

📄 Description

Fixes #580

Implements the design described here: https://github.com/pocket-id/pocket-id/issues/580#issuecomment-2918342289

  • Adds support for storing private keys in the database
  • Adds support for encrypting the private keys stored on disk (optional) or in the database (required)
  • Adds support for running Pocket ID with in-memory only (ephemeral) keys

Adds these new config options:

  • KEYS_STORAGE, which can be file or database. The default is file.
  • ENCRYPTION_KEY allows passing a key to use to encrypt keys stored on disk or DB
  • ENCRYPTION_KEY_FILE is akin to ENCRYPTION_KEY but contains the path to a file with the key to load

When keys are encrypted, they are tied to a specific instance of Pocket ID (identified by the InstanceID internal config setting).

Also note that keys are encrypted with AES-GCM.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/682 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 6/26/2025 **Status:** ✅ Merged **Merged:** 7/3/2025 **Merged by:** [@kmendell](https://github.com/kmendell) **Base:** `main` ← **Head:** `encrypt-keys` --- ### 📝 Commits (10+) - [`742673d`](https://github.com/pocket-id/pocket-id/commit/742673d4f0def6332164086bfd84e28e8bace803) feat: Encrypt private keys saved on disk and in DB - [`35145f6`](https://github.com/pocket-id/pocket-id/commit/35145f6813a3b3b7a3c85c821d1ffe26dd58db9f) Store envConfig instead of appUrl in the object - [`2a2e8d9`](https://github.com/pocket-id/pocket-id/commit/2a2e8d94319687d48075b5467b887fc0a4acd4b6) Fix tests - [`47bde74`](https://github.com/pocket-id/pocket-id/commit/47bde747b33d3c3d3818977864f9d32f4db55c19) Merge branch 'main' into encrypt-keys - [`d497e1c`](https://github.com/pocket-id/pocket-id/commit/d497e1cea492e58afb49bef9ab6d8b0bc293fede) Merge branch 'main' of https://github.com/pocket-id/pocket-id into encrypt-keys - [`c4fe94c`](https://github.com/pocket-id/pocket-id/commit/c4fe94c22a3da14a60bbb96e6596227fafdd9538) Merge branch 'main' into encrypt-keys - [`afa8d10`](https://github.com/pocket-id/pocket-id/commit/afa8d1044334587f801f272ffb008f1e90a8de7f) Merge branch 'main' of https://github.com/pocket-id/pocket-id into encrypt-keys - [`f68e848`](https://github.com/pocket-id/pocket-id/commit/f68e848e40d6c7e7673eba4192fd3a063c5671f3) Merge branch 'main' into encrypt-keys - [`5b28eb5`](https://github.com/pocket-id/pocket-id/commit/5b28eb50d6e31908e56572257bda08811ae68099) Re-order migrations after merging latest changes - [`c7d6405`](https://github.com/pocket-id/pocket-id/commit/c7d6405cbcdd7c0c10894c0bf72345b6f67da0a0) Rename env vars to ENCRYPTION_KEYS ### 📊 Changes **25 files changed** (+2310 additions, -327 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/bootstrap/services_bootstrap.go` (+1 -1) 📝 `backend/internal/common/env_config.go` (+68 -31) ➕ `backend/internal/common/env_config_test.go` (+188 -0) ➕ `backend/internal/model/kv.go` (+11 -0) 📝 `backend/internal/service/app_config_service_test.go` (+17 -15) 📝 `backend/internal/service/e2etest_service.go` (+3 -1) 📝 `backend/internal/service/jwt_service.go` (+52 -94) 📝 `backend/internal/service/jwt_service_test.go` (+166 -77) 📝 `backend/internal/service/oidc_service_test.go` (+8 -7) ➕ `backend/internal/utils/crypto/crypto.go` (+69 -0) ➕ `backend/internal/utils/crypto/crypto_test.go` (+208 -0) ➕ `backend/internal/utils/jwk/key_provider.go` (+50 -0) ➕ `backend/internal/utils/jwk/key_provider_database.go` (+109 -0) ➕ `backend/internal/utils/jwk/key_provider_database_test.go` (+275 -0) ➕ `backend/internal/utils/jwk/key_provider_file.go` (+202 -0) ➕ `backend/internal/utils/jwk/key_provider_file_test.go` (+320 -0) ➕ `backend/internal/utils/jwk/utils.go` (+180 -0) ➕ `backend/internal/utils/jwk/utils_test.go` (+324 -0) ➖ `backend/internal/utils/jwk_util.go` (+0 -69) 📝 `backend/internal/utils/testing/database.go` (+7 -32) _...and 5 more files_ </details> ### 📄 Description Fixes #580 Implements the design described here: https://github.com/pocket-id/pocket-id/issues/580#issuecomment-2918342289 - Adds support for storing private keys in the database - Adds support for encrypting the private keys stored on disk (optional) or in the database (required) - Adds support for running Pocket ID with in-memory only (ephemeral) keys Adds these new config options: - `KEYS_STORAGE`, which can be `file` or `database`. The default is `file`. - `ENCRYPTION_KEY` allows passing a key to use to encrypt keys stored on disk or DB - `ENCRYPTION_KEY_FILE` is akin to `ENCRYPTION_KEY` but contains the path to a file with the key to load When keys are encrypted, they are tied to a specific instance of Pocket ID (identified by the InstanceID internal config setting). Also note that keys are encrypted with AES-GCM. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-09 16:55:01 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#678
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?