RFC 196: Secrets package (!12933) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge rfc196/secret_pkg into main Aug 12, 2020

Created by: daxmc99

Fixes https://github.com/sourcegraph/sourcegraph/issues/12269

This is the first PR of RFC 196 to enter into the codebase. This is the secrets package which will ultimately be used by developers to encrypt & decrypt secrets. Therefore ergonomics are important.

Is this package discoverable? Are the methods it exposes reasonable?

@chayim The key rotation code was non-trivial to implement since we need to support usage before and after the ciphertext is rotated to use the new key. The only way I saw was to use HMAC to verify data integrity and ensure that we were using the right key to encrypt or decrypt the data.

TODO:

Verify that HMAC is the right solution here
Update HMAC code to use a derived key

Both TODOs are non-blocking and shouldn't prevent merging the code here.

RFC 196: Secrets package

Merge request reports