Add encrypted configs to pcli #4293
Assignees
Labels
Milestone
Comments
cronokirby
added
the
A-client
github-actions
bot
added
the
needs-refinement
|
I think we should try to figure out a way to have only subfields of the config data be encrypted. This would allow the FVK to sit in the toml file and for It would be useful to support encryption for single spend keys as well as threshold data, where it's even more important. Is there a way that we could have the |
|
Another approach instead of encrypting the config itself, is to just encrypt the custody portion of the config. We could do this with a new custody backend which would wrap another backend. This would touch the relevant items for SoftKms and Threshold custody. |
|
Hmm, so the idea is something like
? |
|
Yeah, that's basically the idea; we might want to shift the decryption to initialization, but otherwise the wrapping is what I'd envisioned. |
aubrika
added
_P-V1
TalDerei
pushed a commit
that referenced
this issue
May 3, 2024
Bumps the application version to v0.72.0, which is required because the changes in #4293 were merged into a release branch, and thus didn't land on main naturally. We'll backport that patch shortly. More relevantly, the chain-upgrade docs now reference the "current" migration, which is 71 -> 72, with its own genesis time. Finally, a small change is made to the recommended dir names, using unique-to-this-migration dirnames for the export, to avoid confusion for operators who have previously migrated and not cleaned up the state.
1 task
redshiftzero
pushed a commit
that referenced
this issue
May 8, 2024
## Describe your changes This adds a new option to encrypt the `soft-kms` and `threshold` custody backends with a password, so that spend-key related material is encrypted at rest. This is implemented by: 1. Having a `pcli init --encrypted` flag that applies to both of these backends, which prompts a user for a password (and confirmation) before using that to encrypt the config. 2. Having a `pcli init re-encrypt` command to read an existing config and encrypt its backend, if necessary, to allow importing existing configs. This is also implemented internally in a lazy way, so that a password is only prompted when the custody services methods are actually called, allowing us to not need a password for view only commands. ## Issue ticket number and link Closes #4293. ## Checklist before requesting a review - [x] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Otherwise, I declare my belief that there are not consensus-breaking changes, for the following reason: > This is a client-only change. --------- Co-authored-by: cratelyn <[email protected]>
hdevalence
pushed a commit
that referenced
this issue
May 8, 2024
This adds a new option to encrypt the `soft-kms` and `threshold` custody backends with a password, so that spend-key related material is encrypted at rest. This is implemented by: 1. Having a `pcli init --encrypted` flag that applies to both of these backends, which prompts a user for a password (and confirmation) before using that to encrypt the config. 2. Having a `pcli init re-encrypt` command to read an existing config and encrypt its backend, if necessary, to allow importing existing configs. This is also implemented internally in a lazy way, so that a password is only prompted when the custody services methods are actually called, allowing us to not need a password for view only commands. Closes #4293. - [x] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Otherwise, I declare my belief that there are not consensus-breaking changes, for the following reason: > This is a client-only change. --------- Co-authored-by: cratelyn <[email protected]>
conorsch
pushed a commit
that referenced
this issue
May 8, 2024
This adds a new option to encrypt the `soft-kms` and `threshold` custody backends with a password, so that spend-key related material is encrypted at rest. This is implemented by: 1. Having a `pcli init --encrypted` flag that applies to both of these backends, which prompts a user for a password (and confirmation) before using that to encrypt the config. 2. Having a `pcli init re-encrypt` command to read an existing config and encrypt its backend, if necessary, to allow importing existing configs. This is also implemented internally in a lazy way, so that a password is only prompted when the custody services methods are actually called, allowing us to not need a password for view only commands. Closes #4293. - [x] If this code contains consensus-breaking changes, I have added the "consensus-breaking" label. Otherwise, I declare my belief that there are not consensus-breaking changes, for the following reason: > This is a client-only change. --------- Co-authored-by: cratelyn <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In real-world custody setups, in can be useful to store the pcli config file—which contains the shares of the spend key—encrypted at rest. However, given the complexity of setting up an actual threshold custody, the additional barrier of also setting up a correct encrypted backup is an additional paper cut which we might want to avoid.
We could natively support an encrypted configuration in pcli.
We would have an encrypted configuration option in pcli, which would store an encrypted blob instead of the usual config, and then require a password to decrypt the configuration.
We could implement this by:
--encryptedflag topcli init,The text was updated successfully, but these errors were encountered: