diff options
| author | Robert Newson <rnewson@apache.org> | 2022-05-06 19:47:10 +0100 |
|---|---|---|
| committer | Robert Newson <rnewson@apache.org> | 2022-05-06 20:27:59 +0100 |
| commit | 45ab534c9f4f4227872dc7a53e0e6a9207465158 (patch) | |
| tree | 074c81bf1ad7a0e69f10118cfab589150c66a2e7 | |
| parent | 9ad380ed08c87f1f88e703408fb6aeb88ca69e42 (diff) | |
| download | couchdb-45ab534c9f4f4227872dc7a53e0e6a9207465158.tar.gz | |
encryption password from config
| -rw-r--r-- | rel/overlay/etc/default.ini | 2 | ||||
| -rw-r--r-- | src/couch/src/couch_file.erl | 27 |
2 files changed, 25 insertions, 4 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 5fb45b5b5..98349f5eb 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -6,6 +6,8 @@ name = {{package_author_name}} uuid = {{uuid}} database_dir = {{data_dir}} view_index_dir = {{view_index_dir}} +encryption_password = super_secret_password +encryption_salt = no_saltier_than_this ; util_driver_dir = ; plugin_dir = ;os_process_timeout = 5000 ; 5 seconds. for view servers. diff --git a/src/couch/src/couch_file.erl b/src/couch/src/couch_file.erl index e4673c394..f52a12f9e 100644 --- a/src/couch/src/couch_file.erl +++ b/src/couch/src/couch_file.erl @@ -64,8 +64,6 @@ %% or {error, Reason} if the file could not be opened. %%---------------------------------------------------------------------- --define(AES_MASTER_KEY, <<0:256>>). - open(Filepath) -> open(Filepath, []). @@ -932,7 +930,7 @@ reset_eof(#file{} = File) -> %% we've wiped all the data, including the wrapped key, so we need a new one. init_key(#file{eof = 0} = File) -> Key = crypto:strong_rand_bytes(32), - WrappedKey = couch_keywrap:key_wrap(?AES_MASTER_KEY, Key), + WrappedKey = couch_keywrap:key_wrap(master_key(), Key), Header = <<?ENCRYPTED_HEADER, WrappedKey/binary>>, ok = file:write(File#file.fd, Header), ok = file:sync(File#file.fd), @@ -942,7 +940,7 @@ init_key(#file{eof = 0} = File) -> init_key(#file{key = undefined} = File) -> case file:pread(File#file.fd, 0, 48) of {ok, <<?ENCRYPTED_HEADER, WrappedKey/binary>>} -> - case couch_keywrap:key_unwrap(?AES_MASTER_KEY, WrappedKey) of + case couch_keywrap:key_unwrap(master_key(), WrappedKey) of fail -> {error, unwrap_failed}; Key when is_binary(Key) -> @@ -1023,6 +1021,27 @@ unpad(Pos, Bin) when is_binary(Bin) -> Result. +master_key() -> + couch_pbkdf2:pbkdf2(sha256, master_password(), master_salt(), 100000). + + +master_password() -> + case config:get("couchdb", "encryption_password") of + undefined -> + undefined; + Password -> + ?l2b(Password) + end. + +master_salt() -> + case config:get("couchdb", "encryption_salt") of + undefined -> + undefined; + Salt -> + ?l2b(Salt) + end. + + -ifdef(TEST). -include_lib("couch/include/couch_eunit.hrl"). |