PMM-13132 Encryption rotation. (#3199)

* PMM-13129 Tidy.

* PMM-13129 Migration basics.

* PMM-13129 Format.

* PMM-13129 Encrypt, EncryptDB, Decrypt, DecryptDB, refactor.

* PMM-13129 Encryption test workflow.

* PMM-13129 Remove install.

* PMM-13129 Encrypt/Decrypt agents.

* PMM-13129 Changes.

* PMM-13145 Fix for tests.

* PMM-13129 Fix Mongo test.

* PMM-13129 Fix.

* PMM-13129 Encrypt fixture.

* PMM-13129 Encryption test.

* PMM-13129 File mode test.

* PMM-13129 Fix credentials for test env.

* PMM-13129 Clean.

* PMM-13129 Correct DB for encryption test.

* PMM-13129 Moved to utils folder.

* PMM-13129 Empty password fix.

* PMM-13129 Debug logs to warning level.

* PMM-13129 Format.

* PMM-13129 Small change in generated query.

* PMM-13129 Password set check.

* PMM-13129 Fix wrong field.

* PMM-13129 Init in migration.

* PMM-13129 Precheck if already encrypted, moved into managed utils.

* PMM-13129 Migration.

* PMM-13129 Fix for EncryptDB. Encrypt/Decrypt username.

* PMM-13129 Formatting of encryption error, createAgent username fix.

* PMM-13129 Remove unused method for now.

* PMM-13129 Correct mode for cert file.

* PMM-13129 Remove DB test, small refactor.

* PMM-13129 Encryption for external exporter.

* PMM-13129 Fix tests after external exporter encryption.

* PMM-13129 Fix mongo tests.

* PMM-13129 Fix another test to expect encrypted username.

* PMM-13129 Another fix for tests to expect encrypted username.

* PMM-13129 Fix for DecryptDB.

* PMM-13129 Err if encryption is not initialized.

* PMM-13129 Delimiter fix.

* PMM-13129 Fix DecryptDB.

* PMM-13129 Small change in agent test.

* PMM-13129 Fix non related test to make it green for now.

* PMM-13129 Add license headers.

* PMM-13129 License.

* PMM-13129 Lint.

* PMM-13129 Another lint.

* PMM-13129 Lint.

* PMM-13129 Default encryption changes.

* PMM-13129 Encrypt, decrypt all other secret, credentials in agents.

* PMM-13129 Changes, some refactors.

* PMM-13129 Another changes.

* PMM-13129 Refactor.

* PMM-13129 Fix.

* PMM-13129 Changes.

* PMM-13129 Changes.

* PMM-13129 Save.

* PMM-13129 Changes.

* PMM-13129 Another changes.

* PMM-13129 Refactor, another changes.

* PMM-13129 Disable migration encryption until it is done.

* PMM-13129 Basics for settings and migration.

* PMM-13129 Original code for isPasswordSet.

* PMM-13129 Fix current settings test.

* PMM-13129 Basic changes to be able pass custom handlers.

* PMM-13129 Handlers, PG handler.

* PMM-13129 Refactor.

* PMM-13129 Changes, refactor.

* PMM-13129 Migrate and encrypt all possible fields.

* PMM-13129 Fix for service info broker.

* PMM-13129 Fix for settings helper test.

* PMM-13129 Refactor.

* PMM-13129 Lint.

* PMM-13129 Lint.

* PMM-13129 Format.

* PMM-13129 Fix settings helpers test.

* PMM-13129 License header.

* PMM-13129 Another lint.

* PMM-13129 Lint.

* PMM-13129 Changes to fix tests. Refactor.

* PMM-13129 Format.

* PMM-13129 Fix.

* PMM-13129 Encrypt items now receive opened DB connection, refactor.

* PMM-13129 Lint (correct ctx).

* PMM-13129 Refactor, lint.

* PMM-13129 Check.

* PMM-13129 Lint.

* PMM-13129 Fix settings test.

* PMM-13129 Fix to prevent double encryption on setup fixtures.

* PMM-13129 Changes.

* PMM-13129 Encrypt only basic fields in tests (migration).

* PMM-13129 Test.

* PMM-13129 Lint.

* PMM-13129 Different encrypted columns for different migration versions.

* PMM-13129 Fix.

* PMM-13129 TODO.

* PMM-13129 TODO.

* PMM-13129 Check for nothing to encrypt.

* PMM-13129 Encrypted fields based on migration version.

* PMM-13129 Better debug.

* PMM-13129 Lint.

* PMM-13129 Fix, better debug.

* PMM-13129 Exit in case of encryption initialization error.

* PMM-13129 Handle nil migration version.

* PMM-13129 Typo.

* PMM-13129 Fix for service broker and connection check.

* PMM-13129 Comments.

* PMM-13129 Remove debug logging.

* PMM-13129 Remove pointer in EncryptAgent, DecryptAgent.

* PMM-13129 Fix.

* PMM-13129 Fix for service_info_broker.

* PMM-13129 Fix service_info_broker options pointer propagation.

* PMM-13129 Fix for custom labels after removed pointer.

* PMM-13129 Hide cipherText in error message.

* PMM-13129 Panic in case of unavailable encryption.

* PMM-13129 Remove CA certificates from encryption/decryption.

* PMM-13129 Required refactor.

* Update api/serverpb/server.proto

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/models/database.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/encryption.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/models.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/models.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/helpers.go

Co-authored-by: Alex Demidoff <[email protected]>

* PMM-13129 Gen.

* PMM-13129 Identifiers word.

* PMM-13129 Remove CAs from handlers.

* Update managed/models/settings.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/encryption.go

Co-authored-by: Alex Demidoff <[email protected]>

* Update managed/utils/encryption/encryption.go

Co-authored-by: Alex Demidoff <[email protected]>

* PMM-13129 Dereference all DB options on encrypt/decrypt.

* PMM-13129 Custom labels.

* Revert "PMM-13129 Custom labels."

This reverts commit 903b4ef.

* Revert "PMM-13129 Dereference all DB options on encrypt/decrypt."

This reverts commit fe3be31.

* Reapply "PMM-13129 Custom labels."

This reverts commit 9fd8982.

* Reapply "PMM-13129 Dereference all DB options on encrypt/decrypt."

This reverts commit f955040.

* PMM-13129 Remove old migrations tests, required refactor.

* Revert "Reapply "PMM-13129 Custom labels.""

This reverts commit 687a2e2.

* Revert "Reapply "PMM-13129 Dereference all DB options on encrypt/decrypt.""

This reverts commit f09bef1.

* PMM-13129 Logic change.

* PMM-13129 Remove username, aws_access_key, aws_secret_key from enc.

* PMM-13129 Env variable for custom encryption key.

* PMM-13129 Custom key for main check.

* PMM-13129 Remove decrypt agent from create agent methods.

* PMM-13129 Change to skip empty values from encryption.

* PMM-13129 Remove unused struct.

* Update managed/models/database.go

Co-authored-by: Nurlan Moldomurov <[email protected]>

* PMM-13129 Renaming of variable.

* PMM-13129 Remove EncryptedItems field from settings proto.

* PMM-13129 Workaround to create FB for now. Will be reverted.

* PMM-13129 Fix connection checker dsn bug.

* PMM-13129 Another dsn bug.

* PMM-13129 Add back decrypt after insert to fix connection checker.

* PMM-13129 Update reduct words.

* PMM-13129 Fix for test after new redact word.

* PMM-13132 Basics.

* PMM-13132 Some changes.

* PMM-13132 Make format.

* PMM-13132 Mod fix, tidy.

* PMM-13132 Fix.

* PMM-13132 Changes.

* PMM-13132 Changes.

* PMM-13132 Rotation.

* PMM-13132 Format.

* PMM-13132 Changes.

* PMM-13132 Fix.

* PMM-13132 Backup and restore of previous key.

* PMM-13132 Changes.

* PMM-13132 Lint.

* PMM-13132 Correct message.

* PMM-13132 Changes related to tests.

* PMM-13132 Test for whole cycle.

* PMM-13132 Handle OS interuptions.

* PMM-13132 Lint.

* PMM-13132 Lint.

* PMM-13132 Logger and logs.

* PMM-13132 Test DB.

* Revert "PMM-13132 Test DB."

This reverts commit e8f94bf.

* PMM-13132 Changes, CI.

* PMM-13132 Fix in test.

* PMM-13132 Changes.

* PMM-13132 Skip encryption-rotation test in main test.

* PMM-13132 Basic makefile for encryption-rotation.

* PMM-13132 Remove duplicate defaults.

* PMM-13132 Changes in workflow.

* PMM-13132 Remove devcontainer from makefile.

* PMM-13132 Add ENV variable for rotation key.

* PMM-13132 Add PG.

* PMM-13132 Remove user, pass in PG compose.

* PMM-13132 Test of user.

* PMM-13132 Change path for test.

* PMM-13132 Test of simpler structure.

* PMM-13132 Another changes in structure.

* PMM-13132 Another changes to simplify rotation.

* PMM-13132 Format.

* PMM-13132 Improvements.

* PMM-13132 Add command to makefile, lint.

* PMM-13132 Lint.

* PMM-13132 Lint.

* PMM-13132 Wrappers around default on newly added methods.

* PMM-13132 Move into cmd of pmm-managed.

* PMM-13132 Suggested refactor.

* PMM-13132 Another suggested refactor.

* PMM-13132 Fix.

* PMM-13132 Move encryption models into encryption file.

* PMM-13132 Make.

* PMM-13132 Migration to kong.

* PMM-13132 Add consts.

* PMM-13132 Lint.

* PMM-13132 Specs.

* PMM-13132 Move encryption rotation to services.

* PMM-13132 Lint.

* PMM-13132 Add interval and retries.

* PMM-13132 Fix after conflicts.

---------

Co-authored-by: Alex Demidoff <[email protected]>
Co-authored-by: Nurlan Moldomurov <[email protected]>

Makefile

@@ -38,3 +38,6 @@ TARGET ?= _bash
 env:								## Run `make TARGET` in devcontainer (`make env TARGET=help`); TARGET defaults to bash
 	COMPOSE_PROFILES=$(PROFILES) \
 	docker exec -it --workdir=/root/go/src/github.com/percona/pmm pmm-server make $(TARGET)
+
+rotate-encryption: 							## Rotate encryption key
+	go run ./encryption-rotation/main.go

build/packages/rpm/server/SPECS/pmm-managed.spec

@@ -51,6 +51,7 @@ install -d -p %{buildroot}%{_sbindir}
 install -d -p %{buildroot}%{_datadir}/%{name}
 install -d -p %{buildroot}%{_datadir}/pmm-ui
 install -p -m 0755 bin/pmm-managed %{buildroot}%{_sbindir}/pmm-managed
+install -p -m 0755 bin/pmm-encryption-rotation %{buildroot}%{_sbindir}/pmm-encryption-rotation
 install -p -m 0755 bin/pmm-managed-init %{buildroot}%{_sbindir}/pmm-managed-init
 install -p -m 0755 bin/pmm-managed-starlark %{buildroot}%{_sbindir}/pmm-managed-starlark
 
@@ -62,12 +63,16 @@ cp -pa ./ui/dist/. %{buildroot}%{_datadir}/pmm-ui
 %license src/%{provider}/LICENSE
 %doc src/%{provider}/README.md
 %{_sbindir}/pmm-managed
+%{_sbindir}/pmm-encryption-rotation
 %{_sbindir}/pmm-managed-init
 %{_sbindir}/pmm-managed-starlark
 %{_datadir}/%{name}
 %{_datadir}/pmm-ui
 
 %changelog
+* Mon Sep 23 2024 Jiri Ctvrtka <[email protected]> - 3.0.0-1
+- PMM-13132 add PMM encryption rotation tool
+
 * Fri Mar 22 2024 Matej Kubinec <[email protected]> - 3.0.0-1
 - PMM-11231 add pmm ui
 

go.mod

@@ -67,6 +67,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/objx v0.5.2
 	github.com/stretchr/testify v1.9.0
+	github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164
 	go.mongodb.org/mongo-driver v1.17.1
 	go.starlark.net v0.0.0-20230717150657-8a3343210976
 	golang.org/x/crypto v0.28.0

go.sum

@@ -505,6 +505,8 @@ github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164 h1:yhVO0Yhq84FjdcotvFFvDJRNHJ7mO743G12VdcW4Evc=
+github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164/go.mod h1:HhtDVdE/PRZFRia834tkmcwuscnaAzda1RJUW9Pr3Rg=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=

managed/Makefile

@@ -38,6 +38,9 @@ clean:                          ## Remove generated files
 release:                        ## Build pmm-managed release binaries
 	env CGO_ENABLED=0 go build -v $(PMM_LD_FLAGS) -o $(PMM_RELEASE_PATH)/ ./cmd/...
 
+release-encryption-rotation:                        ## Build PMM encryption rotation tool
+	env CGO_ENABLED=0 go build -v $(PMM_LD_FLAGS) -o $(PMM_RELEASE_PATH)/ ./cmd/pmm-encryption-rotation/...
+
 release-starlark:
 	env CGO_ENABLED=0 go build -v $(PMM_LD_FLAGS) -o $(PMM_RELEASE_PATH)/ ./cmd/pmm-managed-starlark/...
 	$(PMM_RELEASE_PATH)/pmm-managed-starlark --version

managed/cmd/pmm-encryption-rotation/main.go

@@ -0,0 +1,95 @@
+// Copyright (C) 2023 Percona LLC
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see <https://www.gnu.org/licenses/>.
+// Package main is the main package for encryption keys rotation.
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/alecthomas/kong"
+	"github.com/sirupsen/logrus"
+
+	"github.com/percona/pmm/managed/models"
+	encryptionService "github.com/percona/pmm/managed/services/encryption"
+	"github.com/percona/pmm/utils/logger"
+	"github.com/percona/pmm/version"
+)
+
+const codeDBConnectionFailed = 1
+
+func main() {
+	signal.Ignore(syscall.SIGINT, syscall.SIGTERM) // to prevent any interuptions during process
+
+	logger.SetupGlobalLogger()
+
+	logrus.Infof("PMM Encryption Rotation Tools version: %s", version.Version)
+
+	sqlDB, err := models.OpenDB(setupParams())
+	if err != nil {
+		logrus.Error(err)
+		os.Exit(codeDBConnectionFailed)
+	}
+
+	statusCode := encryptionService.RotateEncryptionKey(sqlDB, "pmm-managed")
+	sqlDB.Close() //nolint:errcheck
+
+	os.Exit(statusCode)
+}
+
+type flags struct {
+	Address     string `name:"postgres-addr" default:"${address}" help:"PostgreSQL address with port"`
+	DBName      string `name:"postgres-name" default:"pmm-managed" help:"PostgreSQL database name"`
+	DBUsername  string `name:"postgres-username" default:"pmm-managed" help:"PostgreSQL database username name"`
+	DBPassword  string `name:"postgres-password" default:"pmm-managed" help:"PostgreSQL database password"`
+	SSLMode     string `name:"postgres-ssl-mode" default:"${disable_sslmode}" help:"PostgreSQL SSL mode" enum:"${disable_sslmode}, ${require_sslmode},${verify_sslmode}, ${verify_full_sslmode}"` //nolint:lll
+	SSLCAPath   string `name:"postgres-ssl-ca-path" help:"PostgreSQL SSL CA root certificate path" type:"path"`
+	SSLKeyPath  string `name:"postgres-ssl-key-path" help:"PostgreSQL SSL key path" type:"path"`
+	SSLCertPath string `name:"postgres-ssl-cert-path" help:"PostgreSQL SSL certificate path" type:"path"`
+}
+
+func setupParams() models.SetupDBParams {
+	var opts flags
+	kong.Parse(
+		&opts,
+		kong.Name("encryption-rotation"),
+		kong.Description(fmt.Sprintf("Version %s", version.Version)),
+		kong.UsageOnError(),
+		kong.ConfigureHelp(kong.HelpOptions{
+			Compact:             true,
+			NoExpandSubcommands: true,
+		}),
+		kong.Vars{
+			"address":             models.DefaultPostgreSQLAddr,
+			"disable_sslmode":     models.DisableSSLMode,
+			"require_sslmode":     models.RequireSSLMode,
+			"verify_sslmode":      models.VerifyCaSSLMode,
+			"verify_full_sslmode": models.VerifyFullSSLMode,
+		},
+	)
+
+	return models.SetupDBParams{
+		Address:     opts.Address,
+		Name:        opts.DBName,
+		Username:    opts.DBUsername,
+		Password:    opts.DBPassword,
+		SSLMode:     opts.SSLMode,
+		SSLCAPath:   opts.SSLCAPath,
+		SSLKeyPath:  opts.SSLKeyPath,
+		SSLCertPath: opts.SSLCertPath,
+	}
+}

managed/models/database.go

@@ -27,7 +27,6 @@ import (
 	"net"
 	"net/url"
 	"os"
-	"slices"
 	"strconv"
 	"strings"
 
@@ -61,6 +60,25 @@ const (
 	VerifyFullSSLMode string = "verify-full"
 )
 
+// DefaultAgentEncryptionColumns contains all tables and it's columns to be encrypted in PMM Server DB.
+var DefaultAgentEncryptionColumns = []encryption.Table{
+	{
+		Name:        "agents",
+		Identifiers: []string{"agent_id"},
+		Columns: []encryption.Column{
+			{Name: "username"},
+			{Name: "password"},
+			{Name: "aws_access_key"},
+			{Name: "aws_secret_key"},
+			{Name: "mongo_db_tls_options", CustomHandler: EncryptMongoDBOptionsHandler},
+			{Name: "azure_options", CustomHandler: EncryptAzureOptionsHandler},
+			{Name: "mysql_options", CustomHandler: EncryptMySQLOptionsHandler},
+			{Name: "postgresql_options", CustomHandler: EncryptPostgreSQLOptionsHandler},
+			{Name: "agent_password"},
+		},
+	},
+}
+
 // databaseSchema maps schema version from schema_migrations table (id column) to a slice of DDL queries.
 var databaseSchema = [][]string{
 	1: {
@@ -1149,79 +1167,76 @@ func SetupDB(ctx context.Context, sqlDB *sql.DB, params SetupDBParams) (*reform.
 		return nil, errCV
 	}
 
-	agentColumnsToEncrypt := []encryption.Column{
-		{Name: "username"},
-		{Name: "password"},
-		{Name: "aws_access_key"},
-		{Name: "aws_secret_key"},
-		{Name: "mongo_db_tls_options", CustomHandler: EncryptMongoDBOptionsHandler},
-		{Name: "azure_options", CustomHandler: EncryptAzureOptionsHandler},
-		{Name: "mysql_options", CustomHandler: EncryptMySQLOptionsHandler},
-		{Name: "postgresql_options", CustomHandler: EncryptPostgreSQLOptionsHandler},
-		{Name: "agent_password"},
-	}
-
-	itemsToEncrypt := []encryption.Table{
-		{
-			Name:        "agents",
-			Identifiers: []string{"agent_id"},
-			Columns:     agentColumnsToEncrypt,
-		},
-	}
-
-	if err := migrateDB(db, params, itemsToEncrypt); err != nil {
+	if err := migrateDB(db, params, DefaultAgentEncryptionColumns); err != nil {
 		return nil, err
 	}
 
 	return db, nil
 }
 
 // EncryptDB encrypts a set of columns in a specific database and table.
-func EncryptDB(tx *reform.TX, params SetupDBParams, itemsToEncrypt []encryption.Table) error {
-	if len(itemsToEncrypt) == 0 {
+func EncryptDB(tx *reform.TX, database string, itemsToEncrypt []encryption.Table) error {
+	return dbEncryption(tx, database, itemsToEncrypt, encryption.EncryptItems, true)
+}
+
+// DecryptDB decrypts a set of columns in a specific database and table.
+func DecryptDB(tx *reform.TX, database string, itemsToEncrypt []encryption.Table) error {
+	return dbEncryption(tx, database, itemsToEncrypt, encryption.DecryptItems, false)
+}
+
+func dbEncryption(tx *reform.TX, database string, items []encryption.Table,
+	encryptionHandler func(tx *reform.TX, tables []encryption.Table) error,
+	expectedState bool,
+) error {
+	if len(items) == 0 {
 		return nil
 	}
 
 	settings, err := GetSettings(tx)
 	if err != nil {
 		return err
 	}
-	alreadyEncrypted := make(map[string]bool)
+	currentColumns := make(map[string]bool)
 	for _, v := range settings.EncryptedItems {
-		alreadyEncrypted[v] = true
+		currentColumns[v] = true
 	}
 
-	notEncrypted := []encryption.Table{}
-	newlyEncrypted := []string{}
-	for _, table := range itemsToEncrypt {
+	tables := []encryption.Table{}
+	prepared := []string{}
+	for _, table := range items {
 		columns := []encryption.Column{}
 		for _, column := range table.Columns {
-			dbTableColumn := fmt.Sprintf("%s.%s.%s", params.Name, table.Name, column.Name)
-			if alreadyEncrypted[dbTableColumn] {
+			dbTableColumn := fmt.Sprintf("%s.%s.%s", database, table.Name, column.Name)
+			if currentColumns[dbTableColumn] == expectedState {
 				continue
 			}
 
 			columns = append(columns, column)
-			newlyEncrypted = append(newlyEncrypted, dbTableColumn)
+			prepared = append(prepared, dbTableColumn)
 		}
 		if len(columns) == 0 {
 			continue
 		}
 
 		table.Columns = columns
-		notEncrypted = append(notEncrypted, table)
+		tables = append(tables, table)
 	}
-
-	if len(notEncrypted) == 0 {
+	if len(tables) == 0 {
 		return nil
 	}
 
-	err = encryption.EncryptItems(tx, notEncrypted)
+	err = encryptionHandler(tx, tables)
 	if err != nil {
 		return err
 	}
+
+	encryptedItems := []string{}
+	if expectedState {
+		encryptedItems = prepared
+	}
+
 	_, err = UpdateSettings(tx, &ChangeSettingsParams{
-		EncryptedItems: slices.Concat(settings.EncryptedItems, newlyEncrypted),
+		EncryptedItems: encryptedItems,
 	})
 	if err != nil {
 		return err
@@ -1325,7 +1340,7 @@ func migrateDB(db *reform.DB, params SetupDBParams, itemsToEncrypt []encryption.
 			}
 		}
 
-		err := EncryptDB(tx, params, itemsToEncrypt)
+		err := EncryptDB(tx, params.Name, itemsToEncrypt)
 		if err != nil {
 			return err
 		}

managed/models/settings_helpers.go

@@ -226,9 +226,10 @@ func UpdateSettings(q reform.DBTX, params *ChangeSettingsParams) (*Settings, err
 		settings.DefaultRoleID = *params.DefaultRoleID
 	}
 
-	if len(params.EncryptedItems) != 0 {
+	if params.EncryptedItems != nil {
 		settings.EncryptedItems = params.EncryptedItems
 	}
+
 	err = SaveSettings(q, settings)
 	if err != nil {
 		return nil, err