Skip to content

RFC-214: Encrypt secrets in user_external_accounts, external_services, saved_searches and external_service_repos

Created by: unknwon

We need to encrypt existing data in user_exernal_accounts.{auth_data, account_data}, external_services.{config}, saved_searches.query and external_service_repos.clone_url.

Prior art: https://github.com/sourcegraph/sourcegraph/pull/13093/files#diff-0d2a8ca7d4bdc94a4127a855a8a814b4R323

TODO:

  • Come up a helper that accepts a table name, and list of columns to encrypt. #14231
  • Have a background worker in repo-updater to identify rows that are not encrypted by the current primaryKey (i.e. search rows that do not have expected keyHash prefix). This would cover both cases of encryption bootstrap and future key rotation.
  • Have a Prometheus metric to track how many rows are encrypted/unencrypted until we have good UI on this.
  • Decide if ConfiguredToRotate is worth keeping given the Decrypt/RotateEncryption method now does no-op if the ciphertext does not look like being encrypted.