Log AES-128 and AES-192 key sizes during keyring initialization

2020-10-01 11:12:14 -04:00 · 2020-10-01 11:12:14 -04:00 · b98bb99dfe
parent ef36bcfc43
commit b98bb99dfe
2 changed files with 16 additions and 2 deletions
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@ -807,7 +807,7 @@ func (a *Agent) setupKeyrings(config *nomad.Config) error {
 		goto LOAD
 	}
 	if _, err := os.Stat(file); err != nil {
-		if err := initKeyring(file, a.config.Server.EncryptKey); err != nil {
+		if err := initKeyring(file, a.config.Server.EncryptKey, a.logger); err != nil {
 			return err
 		}
 	}
--- a/command/agent/keyring.go
+++ b/command/agent/keyring.go
@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"

+	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/memberlist"
 	"github.com/hashicorp/serf/serf"
 )
@ -17,7 +18,7 @@ const (
 )

 // initKeyring will create a keyring file at a given path.
-func initKeyring(path, key string) error {
+func initKeyring(path, key string, l log.Logger) error {
 	var keys []string

 	if keyBytes, err := base64.StdEncoding.DecodeString(key); err != nil {
@ -26,6 +27,19 @@ func initKeyring(path, key string) error {
 		return fmt.Errorf("Invalid key: %s", err)
 	}

+	// Check for AES-256 key size (32-bytes)
+	if len(key) < 32 {
+		var encMethod string
+		switch len(key) {
+		case 16:
+			encMethod = "AES-128"
+		case 24:
+			encMethod = "AES-192"
+		}
+		msg := fmt.Sprintf("given %d-byte gossip key enables %s encryption, generate a 32-byte key to enable AES-256", len(key), encMethod)
+		l.Info(msg)
+	}
+
 	// Just exit if the file already exists.
 	if _, err := os.Stat(path); err == nil {
 		return nil