Skip to content

Latest commit

 

History

History
82 lines (62 loc) · 2.74 KB

README.md

File metadata and controls

82 lines (62 loc) · 2.74 KB

Scripts for In-Use Encryption testing

This folder contains scripts for use with In-Use Encryption.

See the Azure KMS and GCP KMS for more information on those specific scenarios.

Prerequisites

See Secrets Handling for details on how to access the secrets from the drivers/csfle vault.

Add secrets-export.sh to your .gitignore to prevent checking in credentials in your repo.

Usage

Set up In-Use Encryption by first fetching the secrets and then launching the kms servers:

$DRIVERS_TOOLS/.evergreen/csfle/setup-secrets.sh
$DRIVERS_TOOLS/.evergreen/csfle/start-servers.sh

The generated secrets-export.sh file can be sourced from your cwd to get the required credentials for testing.

The following servers will be started:

  • Mock KMIP server on port 5698
  • KMS HTTP server with an expired cert on port 9000
  • KMS HTTP server with an "wrong host" cert on port 9001
  • KMS HTTP server with a correct cert on port 9002
  • Mock Azure IMDS server on port 8080

When finished, stop the servers by running:

$DRIVERS_TOOLS/.evergreen/csfle/stop-servers.sh

If you are starting your CSFLE servers in a separate Evergreen function, it is recommended that you setup secrets and start the servers in the background, and then have a separate function that uses await-servers.sh in the foreground to wait for the servers to be ready. This will ensure the servers are not torn down between functions (or the function may stall and not finish because there are processes still running). If you are starting the servers in a step within the same function as your tests, you can just start the servers directly in a foreground step.

start-csfle-servers:
  - command: ec2.assume_role
      params:
      role_arn: ${aws_test_secrets_role}
  - command: subprocess.exec
      params:
      working_dir: src
      binary: bash
      include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
      args: |
          ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh
  - command: subprocess.exec
      params:
      working_dir: src
      binary: bash
      background: true
      args:
          - ${DRIVERS_TOOLS}/.evergreen/csfle/start-servers.sh
  - command: subprocess.exec
      params:
      working_dir: src
      binary: bash
      args:
          - ${DRIVERS_TOOLS}/.evergreen/csfle/await-servers.sh

Legacy Usage

The legacy usage involved putting the required secrets in EVG Project config, and used several steps:

  • Start the kmip server and http servers individually in the background.
  • Run the client in a loop until it was able to connect.
  • Use the set-temp-creds.sh to exchange EVG creds for CSFLE temporary credentials.