nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

derive encryption key from hardware uuid
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2026-01-16 14:35:31 +11:00
parent ab01c0fc4d
commit d55916766b
1 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
main.go
View File

@@ -18,7 +18,9 @@ import (
"vctp/server" "vctp/server"
"vctp/server/router" "vctp/server/router"
"crypto/sha256"
"github.com/go-co-op/gocron/v2" "github.com/go-co-op/gocron/v2"
"log/slog"
) )
var ( var (
@@ -29,9 +31,10 @@ var (
cronInvFrequency time.Duration cronInvFrequency time.Duration
cronSnapshotFrequency time.Duration cronSnapshotFrequency time.Duration
cronAggregateFrequency time.Duration cronAggregateFrequency time.Duration
encryptionKey = []byte("5L1l3B5KvwOCzUHMAlCgsgUTRAYMfSpa")
) )
const fallbackEncryptionKey = "5L1l3B5KvwOCzUHMAlCgsgUTRAYMfSpa"
func main() { func main() {
settingsPath := flag.String("settings", "/etc/dtms/vctp.yml", "Path to settings YAML") settingsPath := flag.String("settings", "/etc/dtms/vctp.yml", "Path to settings YAML")
flag.Parse() flag.Parse()
@@ -119,7 +122,8 @@ func main() {
} }
// Load vcenter credentials from serttings, decrypt if required // Load vcenter credentials from serttings, decrypt if required
a := secrets.New(logger, encryptionKey) encKey := deriveEncryptionKey(logger)
a := secrets.New(logger, encKey)
vcEp := strings.TrimSpace(s.Values.Settings.VcenterPassword) vcEp := strings.TrimSpace(s.Values.Settings.VcenterPassword)
if len(vcEp) == 0 { if len(vcEp) == 0 {
logger.Error("No vcenter password configured") logger.Error("No vcenter password configured")
@@ -231,6 +235,7 @@ func main() {
gocron.NewTask(func() { gocron.NewTask(func() {
ct.RunSnapshotCleanup(ctx, logger) ct.RunSnapshotCleanup(ctx, logger)
if strings.EqualFold(s.Values.Settings.DatabaseDriver, "sqlite") { if strings.EqualFold(s.Values.Settings.DatabaseDriver, "sqlite") {
logger.Info("Performing sqlite VACUUM after snapshot cleanup")
if _, err := ct.Database.DB().ExecContext(ctx, "VACUUM"); err != nil { if _, err := ct.Database.DB().ExecContext(ctx, "VACUUM"); err != nil {
logger.Warn("VACUUM failed after snapshot cleanup", "error", err) logger.Warn("VACUUM failed after snapshot cleanup", "error", err)
} else { } else {
@@ -290,3 +295,26 @@ func durationFromSeconds(value int, fallback int) time.Duration {
} }
return time.Second * time.Duration(value) return time.Second * time.Duration(value)
} }
func deriveEncryptionKey(logger *slog.Logger) []byte {
if runtime.GOOS == "linux" {
if data, err := os.ReadFile("/sys/class/dmi/id/product_uuid"); err == nil {
src := strings.TrimSpace(string(data))
if src != "" {
sum := sha256.Sum256([]byte(src))
logger.Debug("derived encryption key from BIOS UUID")
return sum[:]
}
}
if data, err := os.ReadFile("/etc/machine-id"); err == nil {
src := strings.TrimSpace(string(data))
if src != "" {
sum := sha256.Sum256([]byte(src))
logger.Debug("derived encryption key from machine-id")
return sum[:]
}
}
}
logger.Warn("using fallback encryption key; hardware UUID not available")
return []byte(fallbackEncryptionKey)
}