From b98bb99dfe3215e5ecce0690737101b38429320f Mon Sep 17 00:00:00 2001 From: Kent 'picat' Gruber Date: Thu, 1 Oct 2020 11:12:14 -0400 Subject: [PATCH] Log AES-128 and AES-192 key sizes during keyring initialization --- command/agent/agent.go | 2 +- command/agent/keyring.go | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/command/agent/agent.go b/command/agent/agent.go index 909b7c9f7..4507bd5f6 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -807,7 +807,7 @@ func (a *Agent) setupKeyrings(config *nomad.Config) error { goto LOAD } if _, err := os.Stat(file); err != nil { - if err := initKeyring(file, a.config.Server.EncryptKey); err != nil { + if err := initKeyring(file, a.config.Server.EncryptKey, a.logger); err != nil { return err } } diff --git a/command/agent/keyring.go b/command/agent/keyring.go index ca509506b..a8537b9ca 100644 --- a/command/agent/keyring.go +++ b/command/agent/keyring.go @@ -8,6 +8,7 @@ import ( "os" "path/filepath" + log "github.com/hashicorp/go-hclog" "github.com/hashicorp/memberlist" "github.com/hashicorp/serf/serf" ) @@ -17,7 +18,7 @@ const ( ) // initKeyring will create a keyring file at a given path. -func initKeyring(path, key string) error { +func initKeyring(path, key string, l log.Logger) error { var keys []string if keyBytes, err := base64.StdEncoding.DecodeString(key); err != nil { @@ -26,6 +27,19 @@ func initKeyring(path, key string) error { return fmt.Errorf("Invalid key: %s", err) } + // Check for AES-256 key size (32-bytes) + if len(key) < 32 { + var encMethod string + switch len(key) { + case 16: + encMethod = "AES-128" + case 24: + encMethod = "AES-192" + } + msg := fmt.Sprintf("given %d-byte gossip key enables %s encryption, generate a 32-byte key to enable AES-256", len(key), encMethod) + l.Info(msg) + } + // Just exit if the file already exists. if _, err := os.Stat(path); err == nil { return nil