Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run acceptance tests with masterkey and HSM #284

Open
IljaN opened this issue Jun 16, 2021 · 6 comments
Open

Run acceptance tests with masterkey and HSM #284

IljaN opened this issue Jun 16, 2021 · 6 comments
Labels
QA:team

Comments

@IljaN
Copy link
Member

IljaN commented Jun 16, 2021

Owncloud talks to the hsmdaemon (golang daemon) via rest api which in turn talks to softhsm which is a HSM emulation. The "softhsm" package is available for every major distro. Concept and Setup documentation can be found here: https://doc.owncloud.com/server/admin_manual/configuration/server/security/hsmdaemon/

Note that if you follow the instructions above ownCloud will default to userkey encryption. So additionally the steps described here should be executed: https://doc.owncloud.com/server/admin_manual/configuration/files/encryption/master-key-encryption.html#enable-and-configure-master-key-based-encryption.

The tests don't need to run for each PR, it should be enough to trigger them on each release.

As the hsmdaemon is closed-source we could either provide the compiled binary to the CI pipeline or compile it during the run. This would require a golang environment.
@IljaN IljaN mentioned this issue Jun 21, 2021
Merged
@mmattel
Copy link
Contributor

mmattel commented Jun 21, 2021
edited
Loading

The HSM docs implicit use user-key and then mention the change to master-key.

If you want to use a single master key run
occ encryption:select-encryption-type masterkey

If I remeber correctly, we want to "force" admins to use right from the start master-key encryption and we have a Deprecation Note for User-key Storage Encryption in the release notes of 10.7
Why not doing this from the beginning by promoting master-key and drop user-key description in HSM? Is there a particular issue behind that we do as we do now or could/should that be changed (from the docs pov)?

@jnweiger fyi

@phil-davis
Copy link
Contributor

@IljaN @jnweiger do we want to try and do this?

If so, the first blocker that we have come to is the hsmdaemon - the docs say "After you have obtained the hsmdaemon from ownCloud, you need to..." - how can we get the hsmdaemon software?

@SwikritiT
Copy link
Contributor

@IljaN @jnweiger do we want to try and do this?

If so, the first blocker that we have come to is the hsmdaemon - the docs say "After you have obtained the hsmdaemon from ownCloud, you need to..." - how can we get the hsmdaemon software?

Blocked until we get the reply of this ^

@IljaN
Copy link
Member Author

IljaN commented Jan 2, 2023

You can fetch the latest version from the customer cloud.

@IljaN
Copy link
Member Author

IljaN commented Jan 2, 2023

We can probably use https://github.com/psmiraglia/docker-softhsm as a template. IIRC it is possible to automate the interactive token generation step from the ReadMe.

@SagarGi
Copy link
Member

SagarGi commented Feb 8, 2023

i am overtaking this issue.

@SagarGi SagarGi assigned SagarGi and unassigned grgprarup Feb 8, 2023
@SagarGi SagarGi removed their assignment Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
QA:team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@IljaN @phil-davis @mmattel @grgprarup @SwikritiT @SagarGi