04852fc480
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 19s
Blockchain Synchronization Verification / sync-verification (push) Failing after 2s
Integration Tests / test-service-integration (push) Successful in 3m1s
Multi-Node Blockchain Health Monitoring / health-check (push) Failing after 7s
P2P Network Verification / p2p-verification (push) Successful in 9s
Python Tests / test-python (push) Successful in 28s
Security Scanning / security-scan (push) Successful in 55s
Systemd Sync / sync-systemd (push) Successful in 17s
Remove default fallback for API_KEY_HASH_SECRET in tenant context middleware and management service, requiring explicit environment variable configuration. Migrate keystore password handling from /etc/aitbc/keystore_password to /etc/aitbc/credentials/keystore_password with 600 permissions. Add load-keystore-secrets.sh pre-start hook and /run/aitbc/secrets/.env environment file to blockchain-node, blockchain
68 lines
2.2 KiB
Python
Executable File
68 lines
2.2 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
"""
|
|
Encrypt keystore password file using AES-GCM encryption
|
|
Uses the existing encryption suite from the wallet service
|
|
"""
|
|
|
|
import sys
|
|
import os
|
|
from pathlib import Path
|
|
|
|
# Add wallet service to path
|
|
sys.path.insert(0, '/opt/aitbc/apps/wallet/src')
|
|
|
|
from app.crypto.encryption import EncryptionSuite
|
|
from secrets import token_bytes
|
|
|
|
def main():
|
|
keystore_dir = Path('/var/lib/aitbc/keystore')
|
|
password_file = keystore_dir / '.password'
|
|
encrypted_file = keystore_dir / 'passwords' / 'keystore_password.enc'
|
|
|
|
# Ensure passwords directory exists
|
|
encrypted_file.parent.mkdir(parents=True, exist_ok=True)
|
|
|
|
# Read existing password if it exists
|
|
if password_file.exists():
|
|
with open(password_file, 'r') as f:
|
|
password = f.read().strip()
|
|
else:
|
|
# Generate new secure password if none exists
|
|
password = token_bytes(32).hex()
|
|
with open(password_file, 'w') as f:
|
|
f.write(password)
|
|
os.chmod(password_file, 0o600)
|
|
|
|
# Get encryption password from environment or prompt
|
|
enc_password = os.environ.get('KEYSTORE_ENCRYPTION_PASSWORD')
|
|
if not enc_password:
|
|
print("Error: KEYSTORE_ENCRYPTION_PASSWORD environment variable not set")
|
|
print("Set it with: export KEYSTORE_ENCRYPTION_PASSWORD=<secure-password>")
|
|
sys.exit(1)
|
|
|
|
# Encrypt the password
|
|
encryption = EncryptionSuite()
|
|
salt = token_bytes(encryption.salt_bytes)
|
|
nonce = token_bytes(encryption.nonce_bytes)
|
|
ciphertext = encryption.encrypt(password=enc_password, plaintext=password.encode(), salt=salt, nonce=nonce)
|
|
|
|
# Write encrypted file with salt and nonce
|
|
with open(encrypted_file, 'wb') as f:
|
|
f.write(salt)
|
|
f.write(nonce)
|
|
f.write(ciphertext)
|
|
|
|
os.chmod(encrypted_file, 0o600)
|
|
|
|
print(f"Encrypted keystore password saved to: {encrypted_file}")
|
|
print(f"Original password file: {password_file} (will be removed)")
|
|
print(f"WARNING: Keep KEYSTORE_ENCRYPTION_PASSWORD secure - it's needed to decrypt")
|
|
|
|
# Remove clear text password file
|
|
if password_file.exists():
|
|
password_file.unlink()
|
|
print(f"Removed clear text password file: {password_file}")
|
|
|
|
if __name__ == '__main__':
|
|
main()
|