Fixing updatekeys command to respect configured shamir_threshold with groups #1509
Conversation
jorn-ola-birkeland
force-pushed
the
fix-updatekeys-shamir_threshold
branch
from
f4dd2b1 to
02614a7
Compare
jorn-ola-birkeland
force-pushed
the
fix-updatekeys-shamir_threshold
branch
from
02614a7 to
7c4fc0f
Compare
| @@ -593,7 +593,6 @@ func main() { | |||
| for _, path := range c.Args() { | |||
| err := updatekeys.UpdateKeys(updatekeys.Opts{ | |||
| InputPath: path, | |||
| GroupQuorum: c.Int("shamir-secret-sharing-quorum"), | |||
There was a problem hiding this comment.
I think this should have used the option shamir-secret-sharing-threshold. My guess is that this was simply forgotten in 63708c6, resp. that the option was renamed in parallel to a PR that added/modified this, and thus the old name got re-introduced here. (Turns out the PR was created after merging the rename: #255. If you look at the commits though, you can see that the first commit which already made use of the old name was created before the rename PR got merged.)
Please re-add GroupQuorum with the correct option value.
There was a problem hiding this comment.
I appreciate the feedback!
Just to double-check: My understanding is that updatekeys should use the .sops.yaml config file as the source for key updates. Since the config file has the option to set the Shamir threshold through the shamir_threshold key, shouldn't the user be encouraged to use that?
I think allowing both the shamir_threshold key in the config file and the shamir-secret-sharing-threshold command line option would require prompting the user to resolve the conflict if both are set and differ. Currently, that is not implemented. In fact, the shamir_threshold in .sops.yaml was not respected at all, which seem to run counter to the intention of the updatekeys command in the first place.
Furthermore, neither shamir-secret-sharing-threshold nor shamir-secret-sharing-quorum are on the list of allowed options for the command. This led me to believe that the option is not meant to be in use.
IMHO the implementation and use of updatekeys is simpler and more consistent when relying on the configuration file only for the Shamir threshold, but I can try to reintroduce (and rename) the shamir-secret-sharing-threshold option, but adding:
shamir-secret-sharing-thresholdto the list of allowed options- some notification to the user about the conflict, if both the option and the configuration key are set and differ.
Your input on this will be greatly appreciated.
There was a problem hiding this comment.
Just to double-check: My understanding is that
updatekeysshould use the.sops.yamlconfig file as the source for key updates. Since the config file has the option to set the Shamir threshold through theshamir_thresholdkey, shouldn't the user be encouraged to use that?
Well, I kind of agree, but the updatekeys feature was originally implemented to explicitly allow overriding the Shamir threshold on the command line. (Unfortunately, or fortunately, depending on your POV, that implementation didn't work, due to the option rename.)
One reason is probably that the command is called updatekeys, and not update-according-to-sops.yaml or something like that. It's also not adjusting other options from .sops.yaml (about which parts to encrypt etc.). So there is a reason to allow overriding the Shamir threshold from the command line IMO. Even if it's not too strong.
@getsops/maintainers any opinions on this one? I'm somewhat torn between "let's fix this as it was originally intended to be" and "let's remove it since it never worked anyway, and .sops.yaml should be the single source of truth for updatekeys, also for other things than keys".
I think allowing both the
shamir_thresholdkey in the config file and theshamir-secret-sharing-thresholdcommand line option would require prompting the user to resolve the conflict if both are set and differ.
I don't think so - the command line option is an override, if it's supplied the value from .sops.yaml is ignored. The same happens in quite a few other cases for other subcommands. (The Shamir threshold is somewhat special since you cannot explicitly disable it fom the command line, you can only enable it.)
There was a problem hiding this comment.
I think your reasoning is sound, @felixfontein. Reintroducing the option on the command line is a much smaller change. Using the shamir_threshold in the configuration "feels close" to updating the key groups, but I agree it is just on the spectrum of other things that could be considered by the updatekeys command, which would have been increasingly misnamed.
I think I'll revert to fix the option for now, and that a new update-according-to-sops-yaml command of sorts would be a better solution to what I was trying to achieve.
There was a problem hiding this comment.
Sounds good! (And we definitely have to find a better name than update-according-to-sops-yaml if we're going to add that one :D )
| } | ||
|
|
||
| return diff | ||
| } |
There was a problem hiding this comment.
I don't think the logic to compute the new shamir theshold should be part of a diff function. I think it should be a separate function, that can be used in the diff function (though I would avoid that and simply pass old and new value on after the new value has been computed).
|
Also please note that you need to sign-off your commits for the DCO. |
|
@jorn-ola-birkeland is there a reason you closed this instead of adjusting the PR? Are you planning to still work on this? |
|
Yes, I'll create a new branch and PR. (Re-)adding the option is quite a
different fix, so I'd rather just start from scratch.
BR,
jobi
tir. 11. jun. 2024, 23:41 skrev Felix Fontein ***@***.***>:
… @jorn-ola-birkeland <https://github.com/jorn-ola-birkeland> is there a
reason you closed this instead of adjusting the PR? Are you planning to
still work on this?
—
Reply to this email directly, view it on GitHub
<#1509 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ARQTTNKXJCXYPCTGAIPHNBLZG5VINAVCNFSM6AAAAABHY44B76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRRGY2DKNRVGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
The option was renamed while updatekeys was developed, and the name was not updated in the updatekeys PR. See the following for more information: getsops#1509 (comment) Signed-off-by: Felix Fontein <[email protected]>
I noticed a bug when running
sops updatekeys <filename>after changing the.sops.yamlconfiguration from a single master key to 3 groups with master keys and ashamir_thresholdbelow the groups size. The threshold configuration was not respected, and the group size was always used. There was also a problem with increasing theshamir_threshold. If the threshold was still below the group size, the old threshold were used.This PR aims to solve the following issues:
shamir-secret-sharing-quorum, and the relatedGroupQuorumoption that was always0shamir_thresholddefined in the configurationExample to reproduce the problem
Use the following
.sops.yamlto encrypt a fileThen change
.sops.yamltoAfter running
sops updatekeys <filename>, the resulting encrypted file has a metadata section starting with:I.e
shamir_thresholdin.sops.yamlwas not respected, and the number of groups was used instead.User experience after change
Message when running
sops updatekeys <filename>after changing.sops.yamlfrom no groups to 3 groups, withshamir_thresholdconfigured as 2After confirmation the the resulting encrypted file has a metadata section starting with:
Message when changing
shamir_thresholdfrom 2 to 3 (equal to removingshamir_thresholdfrom configuration)After confirmation the the resulting encrypted file has a metadata section starting with: