From d73f13907b62cb577967ae37576c89aa94e0bf56 Mon Sep 17 00:00:00 2001
From: Geoffrey Wilson <geoff@gr-oss.io>
Date: Mon, 4 Nov 2024 09:41:00 -0500
Subject: [PATCH] Db encryption (#65)

* Add optional field encryption to Domain

* Add instructions for db encryption
---
 README.md                  | 24 ++++++++++++++++++++++++
 app/models/domain.rb       |  5 +++++
 config/astral.yml          |  3 +++
 config/credentials.yml.enc |  1 -
 4 files changed, 32 insertions(+), 1 deletion(-)
 delete mode 100644 config/credentials.yml.enc

diff --git a/README.md b/README.md
index 6a143ab..c32f6cf 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,30 @@ UPPER_CASE). Environment vars will override any values in the config
 file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
 
+## Database encryption
+The local database can be encrypted, if needed, but requires a bit of setup
+and careful retention of a master key. Note that there are performance impacts.
+
+1. First, create encryption keys for the database:
+```
+rails db:encryption:init
+```
+Copy the output to your clipboard.
+
+2. Next, create a `credentials.yml.enc` file:
+```
+EDITOR=vi rails credentials:edit
+```
+Paste the db encryption key data into this file, save, and exit.
+
+NB, the credentials file is decoded by a key placed in
+`config/master.key`. Be sure to save this file (it is .gitignored)!
+
+3. Finally, set the following Astral configuration to 'true':
+```
+   db_encryption: true
+```
+
 ## mTLS connections
 Astral can be run as an SSL service and can communicate with Vault via SSL.
 Just set the following values in `config/astral.yml` (or environment) to 
diff --git a/app/models/domain.rb b/app/models/domain.rb
index 72003bb..a7a1ca2 100644
--- a/app/models/domain.rb
+++ b/app/models/domain.rb
@@ -1,6 +1,11 @@
 class Domain < ApplicationRecord
   validates :fqdn, presence: true
 
+  if Config[:db_encryption]
+    encrypts :fqdn, :users, :groups
+  end
+
+
   def groups_array
     (groups || "").split(",").sort.uniq
   end
diff --git a/config/astral.yml b/config/astral.yml
index a52ebef..287e475 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -1,6 +1,9 @@
 # Astral configuration
 # Note that values can be supplied here or as environment vars (UPPER_CASE).
 shared:
+  # Set to true and follow setup guide for encrypted sql database fields
+  db_encryption: false
+
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
deleted file mode 100644
index 68260f7..0000000
--- a/config/credentials.yml.enc
+++ /dev/null
@@ -1 +0,0 @@
-fxqU7YIb3OpXuAinPFAShBIC2wVMPP2qAUCvI3OQVNj0J4Ou6dVYreLmEBHXNiJQgZ9w2tHo2DoIXa3mP2cgj6w/XKDe5QghUaRVL6XBT75xsVd1sfiqMqIHe+LA9Jzq+eVqtZBnBPR+rpbJv8Mc/IvrdS+N+zW44Ox11h9ScGcSflELOzfLDjG9nJt7OF9hoGZpKfq8uKjuAPd/qC3PVR7TDizYpJw4JEwqUtCiG1K6/Hq5DlsJ1sYjr2lRdqkTqWSD0l9YOz2VHm6IZPT9KrpgDg1k6jBEC+mrlX0PecrN/Ppo6sYGrTsJuXPCV2JZNcXQ9VlJyL6UHcj7QY2s1At10O7GlA9fxqu2RvPwI6RPXnuy5RoIr6naFPysVaOLqdaR38keEjSynnPql0UlWhjZO74g--jyA5SY7Kpz1KdBCy--pkajz+uD2OZtKQE6aVmaDg==
\ No newline at end of file