From e573acfc83d313e5308e405c2066ad0a6c477499 Mon Sep 17 00:00:00 2001 From: Jez Barnsley Date: Thu, 5 Mar 2026 13:55:54 +0000 Subject: [PATCH] Private key is base64-encoded --- README.md | 34 ++++++++++++++------------- src/server/services/helpers/crypto.js | 5 ++-- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 8d11f4f57..4cb537353 100644 --- a/README.md +++ b/README.md @@ -174,22 +174,23 @@ Please use a config file instead. This will give you more control over each envi The defaults can be found in [config](./src/config/index.ts). Place your config files in `runner/config` See [https://github.com/node-config/node-config#readme](https://github.com/node-config/node-config#readme) for more info. -| name | description | required | default | valid | notes | -| --------------------- | -------------------------------------------------------------------------------- | :------: | ------- | :-------------------------: | :---------------------------------------------------------------------------------------------------------------------: | -| NODE_ENV | Node environment | no | | development,test,production | | -| PORT | Port number | no | 3009 | | | -| NOTIFY_TEMPLATE_ID | Notify api key | yes | | | Template ID required to send form payloads via [GOV.UK Notify](https://www.notifications.service.gov.uk) email service. | -| NOTIFY_API_KEY | Notify api key | yes | | | API KEY required to send form payloads via [GOV.UK Notify](https://www.notifications.service.gov.uk) email service. | -| LOG_LEVEL | Log level | no | debug | trace,debug,info,error | | -| PHASE_TAG | Tag to use for phase banner | no | beta | alpha, beta, empty string | | -| HTTP_PROXY | HTTP proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | -| HTTPS_PROXY | HTTPS proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | -| NO_PROXY | HTTP proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | -| AWS_ACCESS_KEY_ID | AWS key id | yes | dummy | | | -| AWS_SECRET_ACCESS_KEY | AWS access key | yes | dummy | | | -| SNS_ENDPOINT | Endpoint for SNS messaging | yes | | | | -| SNS_ADAPTER_TOPIC_ARN | The SNS topic for the submission adapter - in Amazon Resource Name (ARN) format. | yes | | | | -| SNS_SAVE_TOPIC_ARN | The SNS topic for the save-and-exit - in Amazon Resource Name (ARN) format. | yes | | | | +| name | description | required | default | valid | notes | +| ----------------------- | ----------------------------------------------------------------------------------------------------- | :------: | ------- | :-------------------------: | :---------------------------------------------------------------------------------------------------------------------: | +| NODE_ENV | Node environment | no | | development,test,production | | +| PORT | Port number | no | 3009 | | | +| NOTIFY_TEMPLATE_ID | Notify api key | yes | | | Template ID required to send form payloads via [GOV.UK Notify](https://www.notifications.service.gov.uk) email service. | +| NOTIFY_API_KEY | Notify api key | yes | | | API KEY required to send form payloads via [GOV.UK Notify](https://www.notifications.service.gov.uk) email service. | +| LOG_LEVEL | Log level | no | debug | trace,debug,info,error | | +| PHASE_TAG | Tag to use for phase banner | no | beta | alpha, beta, empty string | | +| HTTP_PROXY | HTTP proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | +| HTTPS_PROXY | HTTPS proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | +| NO_PROXY | HTTP proxy to use, e.g. the one from CDP. Currently used for Hapi Wreck. | no | | | | +| AWS_ACCESS_KEY_ID | AWS key id | yes | dummy | | | +| AWS_SECRET_ACCESS_KEY | AWS access key | yes | dummy | | | +| SNS_ENDPOINT | Endpoint for SNS messaging | yes | | | | +| SNS_ADAPTER_TOPIC_ARN | The SNS topic for the submission adapter - in Amazon Resource Name (ARN) format. | yes | | | | +| SNS_SAVE_TOPIC_ARN | The SNS topic for the save-and-exit - in Amazon Resource Name (ARN) format. | yes | | | | +| PRIVATE_KEY_FOR_SECRETS | Base64-encoded private key (paired witht he public key from forms-manager) for decryption of secrets. | yes | | | | For proxy options, see https://www.npmjs.com/package/proxy-from-env which is used by https://github.com/TooTallNate/proxy-agents/tree/main/packages/proxy-agent. @@ -216,6 +217,7 @@ USE_SINGLE_INSTANCE_CACHE=true SNS_ENDPOINT="http://localhost:4566" SNS_ADAPTER_TOPIC_ARN="arn:aws:sns:eu-west-2:000000000000:forms_runner_submission_events" SNS_SAVE_TOPIC_ARN="arn:aws:sns:eu-west-2:000000000000:forms_runner_events" +PRIVATE_KEY_FOR_SECRETS="" ``` # Testing diff --git a/src/server/services/helpers/crypto.js b/src/server/services/helpers/crypto.js index b4d70fc27..91f5dd4dc 100644 --- a/src/server/services/helpers/crypto.js +++ b/src/server/services/helpers/crypto.js @@ -7,10 +7,11 @@ import { config } from '~/src/config/index.js' * @returns {string} base64-encoded result */ export function decryptSecret(secretValue) { - const privateKey = config.get('privateKeyForSecrets') - if (!privateKey) { + const privateKeyEncoded = config.get('privateKeyForSecrets') + if (!privateKeyEncoded) { throw new Error('Private key is missing') } + const privateKey = Buffer.from(privateKeyEncoded, 'base64').toString() const buffer = Buffer.from(secretValue, 'base64') const decrypted = crypto.privateDecrypt(privateKey, buffer) return decrypted.toString()