feat: drop support dedicated encryption key

vitalvas · Mar 31, 2024 · c0c7e1f · c0c7e1f
1 parent 48308be
commit c0c7e1f
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 40 deletions.
diff --git a/internal/commands/cmd_init.go b/internal/commands/cmd_init.go
@@ -37,11 +37,6 @@ var initCmd = &cli.Command{
 			Usage:   "Encryption key for key (generated if not set)",
 			EnvVars: []string{"GOPASS_ENCRYPTION_KEY"},
 		},
-		&cli.StringFlag{
-			Name:    "encryption-value",
-			Usage:   "Encryption key for value (generated if not set)",
-			EnvVars: []string{"GOPASS_ENCRYPTION_VALUE"},
-		},
 	},
 	Action: func(c *cli.Context) error {
 		parsed, err := url.Parse(c.String("store-uri"))
@@ -70,10 +65,9 @@ var initCmd = &cli.Command{
 		}
 
 		vaultConfig := vault.Config{
-			Name:            c.String("vault"),
-			Address:         parsed.String(),
-			EncryptionKey:   c.String("encryption-key"),
-			EncryptionValue: c.String("encryption-value"),
+			Name:          c.String("vault"),
+			Address:       parsed.String(),
+			EncryptionKey: c.String("encryption-key"),
 		}
 
 		if len(vaultConfig.EncryptionKey) <= 8 {
@@ -102,7 +96,7 @@ var initCmd = &cli.Command{
 			return fmt.Errorf("failed to write vault config: %w", err)
 		}
 
-		enc, err := encryptor.NewEncryptor(vaultConfig.EncryptionKey, vaultConfig.EncryptionValue)
+		enc, err := encryptor.NewEncryptor(vaultConfig.EncryptionKey)
 		if err != nil {
 			return fmt.Errorf("failed to create encryptor: %w", err)
 		}

diff --git a/internal/commands/config.go b/internal/commands/config.go
@@ -66,7 +66,7 @@ func vaultLoader(_ *cli.Context) error {
 
 func encryptLoader(_ *cli.Context) error {
 	var err error
-	encrypt, err = encryptor.NewEncryptor(vaultConfig.EncryptionKey, vaultConfig.EncryptionValue)
+	encrypt, err = encryptor.NewEncryptor(vaultConfig.EncryptionKey)
 	if err != nil {
 		return fmt.Errorf("failed to create encryptor: %w", err)
 	}

diff --git a/pkg/encryptor/encryptor.go b/pkg/encryptor/encryptor.go
@@ -13,13 +13,12 @@ type Encryptor struct {
 	valueAead cipher.AEAD
 }
 
-func NewEncryptor(keySecret, valueSecret string) (*Encryptor, error) {
+func NewEncryptor(keySecret string) (*Encryptor, error) {
 	if keySecret == "" {
 		return nil, errors.New("no key encryption key")
 	}
 
 	keySecretBytes := []byte(keySecret)
-	valueSecretBytes := []byte(valueSecret)
 
 	keyHash := blake2b.Sum256(keySecretBytes)
 
@@ -28,19 +27,11 @@ func NewEncryptor(keySecret, valueSecret string) (*Encryptor, error) {
 		return nil, err
 	}
 
-	var valueSecretKey []byte
+	valueHash := blake2b.Sum256(
+		append(keySecretBytes, keyHash[:]...),
+	)
 
-	if valueSecretBytes != nil {
-		valueHash := blake2b.Sum256(valueSecretBytes)
-		valueSecretKey = valueHash[:32]
-
-	} else {
-		valueHash := blake2b.Sum256(
-			append(keySecretBytes, keyHash[:]...),
-		)
-
-		valueSecretKey = valueHash[:32]
-	}
+	valueSecretKey := valueHash[:32]
 
 	valueAead, err := chacha20poly1305.NewX(valueSecretKey)
 	if err != nil {

diff --git a/pkg/encryptor/encryptor_test.go b/pkg/encryptor/encryptor_test.go
@@ -4,23 +4,19 @@ import "testing"
 
 const (
 	testEncryptKey = "t7SxRu9tFGK%Y!cE9PMv#kUR"
-	testEncryptVal = "UzhGnM9pJQ_wrYZc*DUv69*q"
 )
 
 func TestNewEncryptor(t *testing.T) {
 	for _, tc := range []struct {
 		name string
 		key  string
-		val  string
 		err  bool
 	}{
-		{"+key;+val", testEncryptKey, testEncryptVal, false},
-		{"-key;+val", "", testEncryptVal, true},
-		{"+key;-val", testEncryptKey, "", false},
-		{"-key;-val", "", "", true},
+		{"+key", testEncryptKey, false},
+		{"-key", "", true},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			_, err := NewEncryptor(tc.key, tc.val)
+			_, err := NewEncryptor(tc.key)
 			if tc.err && err == nil {
 				t.Fatalf("expected error, got nil")
 			}

diff --git a/pkg/encryptor/key_test.go b/pkg/encryptor/key_test.go
@@ -6,7 +6,7 @@ import (
 )
 
 func TestEncryptKey(t *testing.T) {
-	enc, err := NewEncryptor(testEncryptKey, testEncryptVal)
+	enc, err := NewEncryptor(testEncryptKey)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -40,7 +40,7 @@ func TestEncryptKey(t *testing.T) {
 }
 
 func TestDecryptKey(t *testing.T) {
-	enc, err := NewEncryptor(testEncryptKey, testEncryptVal)
+	enc, err := NewEncryptor(testEncryptKey)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}

diff --git a/pkg/encryptor/value_test.go b/pkg/encryptor/value_test.go
@@ -7,7 +7,7 @@ import (
 )
 
 func TestEncryptValue(t *testing.T) {
-	enc, err := NewEncryptor(testEncryptKey, testEncryptVal)
+	enc, err := NewEncryptor(testEncryptKey)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -43,7 +43,7 @@ func TestEncryptValue(t *testing.T) {
 }
 
 func TestDecryptValue(t *testing.T) {
-	enc, err := NewEncryptor(testEncryptKey, testEncryptVal)
+	enc, err := NewEncryptor(testEncryptKey)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}

diff --git a/pkg/vault/config.go b/pkg/vault/config.go
@@ -1,8 +1,7 @@
 package vault
 
 type Config struct {
-	Name            string `json:"name"`
-	Address         string `json:"address"`
-	EncryptionKey   string `json:"encryption_key"`
-	EncryptionValue string `json:"encryption_value,omitempty"`
+	Name          string `json:"name"`
+	Address       string `json:"address"`
+	EncryptionKey string `json:"encryption_key"`
 }