encryption icon indicating copy to clipboard operation
encryption copied to clipboard
verified publisher icon owncloud

Run acceptance tests with masterkey and HSM

Open IljaN opened this issue 4 years ago • 6 comments

Owncloud talks to the hsmdaemon (golang daemon) via rest api which in turn talks to softhsm which is a HSM emulation. The "softhsm" package is available for every major distro. Concept and Setup documentation can be found here: https://doc.owncloud.com/server/admin_manual/configuration/server/security/hsmdaemon/

Note that if you follow the instructions above ownCloud will default to userkey encryption. So additionally the steps described here should be executed: https://doc.owncloud.com/server/admin_manual/configuration/files/encryption/master-key-encryption.html#enable-and-configure-master-key-based-encryption.

The tests don't need to run for each PR, it should be enough to trigger them on each release.

As the hsmdaemon is closed-source we could either provide the compiled binary to the CI pipeline or compile it during the run. This would require a golang environment.

IljaN avatar Jun 16 '21 14:06 IljaN

The HSM docs implicit use user-key and then mention the change to master-key.

If you want to use a single master key run
occ encryption:select-encryption-type masterkey

If I remeber correctly, we want to "force" admins to use right from the start master-key encryption and we have a Deprecation Note for User-key Storage Encryption in the release notes of 10.7 Why not doing this from the beginning by promoting master-key and drop user-key description in HSM? Is there a particular issue behind that we do as we do now or could/should that be changed (from the docs pov)?

@jnweiger fyi

mmattel avatar Jun 21 '21 15:06 mmattel

@IljaN @jnweiger do we want to try and do this?

If so, the first blocker that we have come to is the hsmdaemon - the docs say "After you have obtained the hsmdaemon from ownCloud, you need to..." - how can we get the hsmdaemon software?

phil-davis avatar Dec 30 '22 06:12 phil-davis

@IljaN @jnweiger do we want to try and do this?

If so, the first blocker that we have come to is the hsmdaemon - the docs say "After you have obtained the hsmdaemon from ownCloud, you need to..." - how can we get the hsmdaemon software?

Blocked until we get the reply of this ^

SwikritiT avatar Jan 02 '23 06:01 SwikritiT

You can fetch the latest version from the customer cloud.

IljaN avatar Jan 02 '23 08:01 IljaN

We can probably use https://github.com/psmiraglia/docker-softhsm as a template. IIRC it is possible to automate the interactive token generation step from the ReadMe.

IljaN avatar Jan 02 '23 09:01 IljaN

i am overtaking this issue.

SagarGi avatar Feb 08 '23 10:02 SagarGi