Skip to content

Commit

Permalink
recrypt
Browse files Browse the repository at this point in the history
  • Loading branch information
chayim committed Apr 4, 2021
1 parent 0eee040 commit d441410
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 21 deletions.
18 changes: 16 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,21 @@
FROM redis:6.2 as builder

ARG GO_VER=1.16.3

ADD ./ /build
RUN apt update -qq && apt-get install -qqy build-essential wget libffi-dev
RUN wget -q https://golang.org/dl/go${GO_VER}.linux-amd64.tar.gz -O /tmp/go.tgz
WORKDIR /usr/local
RUN tar xpf /tmp/go.tgz
RUN ln -s /usr/local/go/bin/go /usr/local/bin/go

WORKDIR /build
RUN make all

# -------------------------------------------------------- #

FROM redis:6.2 as runner
ARG REDICRYPT_KEY=default
ENV REDICRYPT_KEY ${REDICRYPT_KEY}

ADD dist/redicrypt.so /usr/local/lib/redicrypt.so
COPY --from=builder /build/dist/redicrypt.so /usr/local/lib/redicrypt.so
ENTRYPOINT REDICRYPT_KEY=${REDICRYPT_KEY} /usr/local/bin/redis-server --load-module /usr/local/lib/redicrypt.so
42 changes: 23 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,46 +7,50 @@ Redicrypt stores strings, encrypted, in redis. Encryption takes place on the red
It does this by introducing two new redis commands, one for storing an encrypted key value, and one for retrieving the decrypted value of the key. Key names are stored in plaintext, and only their values are decrypted.

* SETENC - Sets a key to an encrypted value
- eg: SETENC *somekey* *myvalue*
- eg: SETENC *somekey* *myvalue*

* GETDEC - Gets the decrypted value of a key
- eg: GETDEC *somekey*

* RECRYPT - Fetches a key, decrypts it, and re-encrypts it with our new key:
- eg: RECRYPT *somekey*
----------------------

## Building
## Usage

### Dependencies
These examples assume that redicrypt is loaded into redis, for detailed instructions [read this](https://redis.io/topics/modules-intro#loading-modules).

Building this module depends on [go 1.14](https://www.golang.org), [gcc 8](https://www.gnu.org/software/gcc) and [make 3.0 or higher](https://www.gnu.org/software/make). You also need a copy of wget on your system, so that the latest copy of the [redis modules sdk](https://raw.githubusercontent.com/redis/redis/unstable/src/redismodule.h) can be downloaded.
1. *Encryption* - Set the **REDICRYPT_KEY** environment variable, to the 32-character key/passphrase you want to use for encrypting your data as per the example below. Please do not use the sample key below!

## Building
```
REDICRYPT_KEY=12345678901234567890123456789012 redis-server
```

1. Clone the repo.
1. *Key rotation* - Set two environment variables. First, **OLD_REDICRYPT_KEY** must be set to the key used to encrypt existing data. Secondly, **REDICRYPT_KEY** must be set to the desired key for re-encrypting the data. Both are 32-characters.

2. Run *make*
```
OLD_REDICRYPT_KEY=00000000000000000000000000000000 REDICRYPT_KEY=12345678901234567890123456789012 redis-server
```

----------------------

### Why it works this way
## Why it works this way

Redicrypt started as a random project with the goal of building a redis module, using go. It uses the go compiler to generate a header file, and static archive. The header file is used by the [redismodule wrapper](redicrypt.c) which in turns calls the go code for all encryption and decryption. The static archive is combined with the object built from the wrapper, into a shared object, which redis loads. For more information [read the Makefile](Makefile).

## Usages
----------------------

These examples assume that redicrypt is loaded into redis, for detailed instructions [read this](https://redis.io/topics/modules-intro#loading-modules).
## Building

1. *Encrytption* - Set the **REDICRYPT_KEY** environment variable, to the 32-character key/passphrase you want to use for encrypting your data as per the example below. Please do not use the sample key below!
### Dependencies

```
REDICRYPT_KEY=12345678901234567890123456789012 redis-server
```
Building this module depends on [go 1.14](https://www.golang.org), [gcc 8](https://www.gnu.org/software/gcc) and [make 3.0 or higher](https://www.gnu.org/software/make). You also need a copy of wget on your system, so that the latest copy of the [redis modules sdk](https://raw.githubusercontent.com/redis/redis/unstable/src/redismodule.h) can be downloaded. You can also just build from the included docker file with *docker build .*

1. *Key rotation* - Set two environment variables. First, **OLD_REDICRYPT_KEY** must be set to the key used to encrypt existing data. Secondly, **REDICRYPT_KEY** must be set to the desired key for re-encrypting the data. Both are 32-characters.
### Building

1. Clone the repository.

2. Run *make*

```
OLD_REDICRYPT_KEY=00000000000000000000000000000000 REDICRYPT_KEY=12345678901234567890123456789012 redis-server
```
### Cluster support

Redicrypt is cluster agnostic and does not maintain state. Ensure the module is available on all cluster hosts, and that the **REDICRYPT_KEY** environment variable (and if necessary **OLD_REDICRYPT_KEY** is set accordingly.
Expand Down

0 comments on commit d441410

Please sign in to comment.