digger
digger copied to clipboard
diggerhq
[RFC] Encrypt plan artifacts at rest
Currently plan files persisted in workplace artifacts in GitHub are not encrypted (see #817). This is a security concern because plan artifacts contain a snapshot of state, which can contain sensitive data like private keys.
Proposed solution: encrypt plan artifacts at rest
- Store encryption key as
DIGGER_PLAN_ARTIFACT_ENCRYPTION_KEYsecret in Github Secrets - When plan artifacts are uploaded in plan_storage.go, encrypt the contents of the file with AES-256, smth like this:
gpg --cipher-algo AES256 --symmetric filename.tar.gz. Using zip password is not a good idea because it uses a weak cipher.
Open questions
- Do we need to rotate the encryption key? Github Secrets don't seem to have any method for that. We might want to instead integrate with a secret manager like Vault or Infisical.
- Is there a "standard" way to encrypt workplace artifacts in GitHub? My initial search didn't yield any, but encryption of build artifacts in Actions at rest is hardly a niche problem, so there probably is a somewhat-standard solution
Other solutions considered
Remove state representation from the plan artifact
Suggested by one of the users; unfortunately it doesn't look feasible because a snapshot of existing state is an integral part of the plan. The purpose of the plan artifact is to capture the state at the time of plan artifact creation, plus the diff on top. This way if the state has moved on since the plan artifact was created and now contains changes that are not compatible with the plan artifact, Terraform is able to compare actual state with the plan time state. See state representation in the Terraform internals docs.
Relevant existing issues
- https://github.com/diggerhq/digger/issues/1291
- https://github.com/diggerhq/digger/issues/1247
- https://github.com/diggerhq/digger/issues/817
