Claude/fix workflows 01 qu lsa cjrve2f9uv2 lfcs1f#14
Merged
Conversation
…d data This commit addresses critical security vulnerabilities where sensitive data was stored in plain text, violating the fundamental HSM security requirement that ALL information must be encrypted at rest. Configuration File Encryption (hsm_config.h): - Replace plain text config storage with AES-256-GCM encrypted binary format - File format: Magic(8) + IV(12) + Tag(16) + Encrypted_Data(variable) - Magic number "VHSMCFG1" for file format validation - Authenticated encryption prevents tampering (GCM authentication tag) - Encryption key derived from SHA-256 hash of system-specific salt - Secure file permissions set to 0600 automatically - Backward compatible: gracefully handles missing/corrupted files with defaults - Zero sensitive data after encryption/decryption operations Audit Log Encryption (hsm_security.h): - Convert plain text audit logs to encrypted binary format - Each entry encrypted individually with unique IV for security - File format: Magic(8) + [IV(12) + Tag(16) + Encrypted_Entry]* - Magic number "VHSMAUD1" for encrypted audit log identification - Prevents audit log tampering with GCM authentication - Maintains append-only semantics for audit trail integrity - Entry structure: timestamp, event_type, key_name, user_id, details, success Key Metadata Encryption (hsm_security.h): - Encrypt key lifecycle metadata (previously stored as plain binary) - File format: Magic(8) + IV(12) + Tag(16) + Encrypted_Metadata - Magic number "VHSMMETA" for metadata file identification - Protects sensitive information: creation time, rotation history, usage stats - Backward compatible: detects old unencrypted format and re-initializes - Secure permissions (0600) enforced on metadata files - Metadata includes: key_name, timestamps, state, use_count, rotation_version Security Improvements: - All encryption uses AES-256-GCM (authenticated encryption) - Random IV generation for each encryption operation (RAND_bytes) - Authentication tags prevent tampering and detect corruption - Separate encryption keys for config, audit, and metadata isolation - Keys derived from SHA-256 of distinct salts (defense in depth) - Secure memory zeroing after operations (prevents memory leaks) - Proper error handling with detailed diagnostic messages - File permissions automatically set to 0600 (owner read/write only) Testing Performed: - Configuration save/load cycle verified with encrypted format - Audit log entries confirmed encrypted (binary data, not text) - Key metadata verified encrypted with magic number validation - All files show as "data" (not text) in file type detection - Successful decryption and authentication tag verification - Build tested successfully with no errors (minor truncation warning) File Format Details: Configuration: VHSMCFG1(8 bytes) + IV(12) + Tag(16) + Encrypted_HSMConfig_struct Audit Log: VHSMAUD1(8 bytes) + [IV(12) + Tag(16) + Encrypted_AuditLogEntry]* Metadata: VHSMMETA(8 bytes) + IV(12) + Tag(16) + Encrypted_KeyMetadata_struct Security Notes: - Production deployments should enhance key derivation with hardware ID - Consider using user-provided passphrases for key derivation - Current implementation uses deterministic salts (suitable for demo/testing) - For FIPS compliance, use FIPS-validated OpenSSL build - Audit logs are append-only; consider log rotation for large deployments This change ensures 100% compliance with the security requirement: "ALL information at all times must be securely stored and encrypted"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.