PMM-9947: Encryption

[ritbl]

PMM-9947

E2E encryption proposal.

FB:

• PMM-9947: FB Percona-Lab/pmm-submodules#2552

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
publicKey is unused (deadcode)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
use of fmt.Println forbidden by pattern ^(fmt\.Print(|f|ln)|print|println)$ (forbidigo)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
string key1 has 3 occurrences, make it a constant (goconst)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
offBy1: Index() can return -1; maybe you wanted to do text[:bodyStart+1] (gocritic)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
don't use an underscore in package name (golint)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
G304: Potential file inclusion via variable (gosec)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
exported: exported method Service.DecryptDsn should have comment or be unexported (revive)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

[github-actions]

🚫 [golangci-lint] _{reported by reviewdog 🐶}
error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)

[BupycHuk]

Thanks, finally I found a time to review this PR. Sorry for that.
How are we going to share public and private keys between pmm-admin and pmm-agent? Are we going to inject them during the build of PMM or just store them in repository or generate them on PMM managed side and share accross clients?
If we will store them in repository than still it's not secure. pmm-admin allows to add agents to another host and if pmm-agent on another host doesn't support ecryption we will have a problem.
If we will inject keys during build we should disable encryption by default for builds made by community to not have problems with compatability.

Tests are failing. Please fix them.
Please fix linters as well.

[BupycHuk]

can we pass the encryptor instead of passing context and trying to extract the encryptor from context. As far as I see there is no check for the existence of an encryptor and that's why your tests are failing.

[ritbl]

I'll fix the tests

[BupycHuk]

can we call it Encryptor?

[BupycHuk]

Too many public methods, let's make methods private if we don't use them outside of this package.

[ritbl]

can we call it Encryptor?
ok

Too many public methods, let's make methods private if we don't use them outside of this package.
What method/methods you think should be made private?

[BupycHuk]

I think I was clear here. All methods are not used outside of this package.

[BupycHuk]

I don't see any usage of this method.

[BupycHuk]

should it be a method at all? looks like it can be just a function

[BupycHuk]

Do we really need all these constants be public?

[ritbl]

Ok. Will make them private

[ritbl]

@BupycHuk

How are we going to share public and private keys between pmm-admin and pmm-agent?

We have multiple options:
1: Leave as it is in this PR - anyone with a bit of patience can find all the keys and decrypt data
Security: 1 out of 5 (very bad). Just grab the keys from repo....
Ease of change / backward compatibility: 5 out of 5 (great).

2: Inject keys in the build time. Someone needs to generate keys and put in secrets in the repo.
Security: 2 out of 5 (bad). Keys will be embedded. It will make harder to get the key but it is still very easy.
Ease of change / backward compatibility: 4 out of 5 (good)

3: Inject keys before pmm starts.
Security: 3-4 out of 5 (good). Proper solution will take time and client now need to manage the keys. It can be make semi-transparent, but still it will require a lot more work.
Ease of change / backward compatibility: 1 out of 5 (very bad)

We can start with any of these, the key can be rotated later. I think any solution would be better if we compare it with the current one.

by default for builds made by community to not have problems with compatability

Actually, it is not needed. It will all work. It is backward compatible. We can start with key being even stored in source code (just because it is easy). Later we can provide better key management solution and create simple rotation job. The key name is embedded into metadata, so that we can have multiple keys.

[BupycHuk]

pmm-admin allows to add agents to another host; if pmm-agent on another host doesn't support encryption, we will have a problem.
it's not a typical case, but it's still possible.

[ritbl]

@BupycHuk

pmm-admin allows to add agents to another host; if pmm-agent on another host doesn't support encryption, we will have a problem.
it's not a typical case, but it's still possible.

Admin perform encryption, for that public key is used. It doesn't need to be kept in secret.
We can embed public key and even put in the source code. Only private key should be taken care of (agent).

[artemgavrilov]

@BupycHuk @ritbl
To be honest I have feeling that this kind of protection should be done on different level. I think it's responsibility of a system administrator to setup TLS certificates for PMM server and we should just respect these settings. This is more obvious and typical solution than custom encryption of just passwords (other information may be sensitive as well). To prevent passwords leaking to logs we can just make codebase audit.

Options 1 and 2 have no sense, it's increasing complexity with almost zero profit. Option 3 may work, but again system administrator should take care for keys management. For now I thinks we can notify user in logs/UI that connection is insecure and ask him to setup TLS.

[ademidoff]

@ritbl Do you mind if I convert it to draft to suppress notifications?