mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-08 10:24:48 +02:00
BigBodyCobain
76 lines
2.4 KiB
Python
76 lines
2.4 KiB
Python
"""Rotate the MESH_SECURE_STORAGE_SECRET used to protect key envelopes at rest.
|
|
|
|
Usage — stop the backend first, then run:
|
|
|
|
MESH_OLD_STORAGE_SECRET=<current> \\
|
|
MESH_NEW_STORAGE_SECRET=<new> \\
|
|
python -m scripts.rotate_secure_storage_secret
|
|
|
|
Dry-run mode (validates old secret without writing anything):
|
|
|
|
MESH_OLD_STORAGE_SECRET=<current> \\
|
|
MESH_NEW_STORAGE_SECRET=<new> \\
|
|
python -m scripts.rotate_secure_storage_secret --dry-run
|
|
|
|
Or, for Docker deployments:
|
|
|
|
docker exec -e MESH_OLD_STORAGE_SECRET=<current> \\
|
|
-e MESH_NEW_STORAGE_SECRET=<new> \\
|
|
<container> python -m scripts.rotate_secure_storage_secret
|
|
|
|
After successful rotation, update your .env (or Docker secret file) to set
|
|
MESH_SECURE_STORAGE_SECRET to the new value, then restart the backend.
|
|
|
|
The script fails closed: if the old secret cannot unwrap any existing envelope,
|
|
nothing is written. Non-passphrase envelopes (DPAPI, raw) are skipped with a
|
|
warning.
|
|
|
|
Before rewriting, .bak copies of every envelope are created so a mid-rotation
|
|
crash leaves recoverable backups on disk.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
import os
|
|
import sys
|
|
|
|
|
|
def main() -> None:
|
|
dry_run = "--dry-run" in sys.argv
|
|
|
|
old_secret = os.environ.get("MESH_OLD_STORAGE_SECRET", "").strip()
|
|
new_secret = os.environ.get("MESH_NEW_STORAGE_SECRET", "").strip()
|
|
|
|
if not old_secret:
|
|
print("ERROR: MESH_OLD_STORAGE_SECRET environment variable is required.", file=sys.stderr)
|
|
sys.exit(1)
|
|
if not new_secret:
|
|
print("ERROR: MESH_NEW_STORAGE_SECRET environment variable is required.", file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
from services.mesh.mesh_secure_storage import SecureStorageError, rotate_storage_secret
|
|
|
|
try:
|
|
result = rotate_storage_secret(old_secret, new_secret, dry_run=dry_run)
|
|
except SecureStorageError as exc:
|
|
print(f"ROTATION FAILED: {exc}", file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
print(json.dumps(result, indent=2))
|
|
if dry_run:
|
|
print(
|
|
"\nDry run complete. No files were modified. Run again without --dry-run to perform the rotation.",
|
|
file=sys.stderr,
|
|
)
|
|
else:
|
|
print(
|
|
"\nRotation complete. Update MESH_SECURE_STORAGE_SECRET to the new value and restart the backend."
|
|
"\nBackup files (.bak) were created alongside each rotated envelope.",
|
|
file=sys.stderr,
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|