Migrate all backend at .minio.sys/config to encrypted backend (#8474)

- Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2025-11-09 21:49:46 -05:00 · 2019-11-01 15:53:16 -07:00
parent fa325665b1
commit d28bcb4f84
15 changed files with 510 additions and 43 deletions
--- a/pkg/madmin/encrypt.go
+++ b/pkg/madmin/encrypt.go
@@ -76,6 +76,10 @@ func EncryptData(password string, data []byte) ([]byte, error) {
 	return ciphertext.Bytes(), nil
 }

+// ErrMaliciousData indicates that the stream cannot be
+// decrypted by provided credentials.
+var ErrMaliciousData = sio.NotAuthentic
+
 // DecryptData decrypts the data with the key derived
 // from the salt (part of data) and the password using
 // the PBKDF used in EncryptData. DecryptData returns
@@ -116,7 +120,14 @@ func DecryptData(password string, data io.Reader) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return ioutil.ReadAll(stream.DecryptReader(data, nonce[:], nil))
+
+	enBytes, err := ioutil.ReadAll(stream.DecryptReader(data, nonce[:], nil))
+	if err != nil {
+		if err == sio.NotAuthentic {
+			return enBytes, ErrMaliciousData
+		}
+	}
+	return enBytes, err
 }

 const (