Skip to content

chore(endpoint): harden AES-GCM encryption and remove sensitive data from logs#6197

Open
ivankatliarchuk wants to merge 1 commit intokubernetes-sigs:masterfrom
gofogo:refactore-crypto
Open

chore(endpoint): harden AES-GCM encryption and remove sensitive data from logs#6197
ivankatliarchuk wants to merge 1 commit intokubernetes-sigs:masterfrom
gofogo:refactore-crypto

Conversation

@ivankatliarchuk
Copy link
Member

@ivankatliarchuk ivankatliarchuk commented Feb 14, 2026
edited
Loading

What does it do ?

  • Reject empty nonce in EncryptText with explicit error instead of silently using all-zero nonce
  • Fail fast — validate nonce before allocating cipher/GCM
  • Use consistent NewGCMWithNonceSize in both encrypt and decrypt paths
  • Change GenerateNonce return type from []byte to string to eliminate redundant type conversions
  • Stop logging AES key and plaintext in Serialize error path
  • Stop logging ciphertext in DecryptText debug path
  • Remove logrus dependency from crypto.go
  • labels.go -> Simplify with direct map lookup — no need for var declaration + extractedNonce temporary
  • Simplify error messages to include data sizes instead of dumping full ciphertext

follow-up:

  • more tests for this package

Motivation

  • An empty nonce produces an all-zero GCM nonce which breaks AES-GCM's security guarantees if reused with the same key
  • The log.Fatalf message in Serialize included the AES encryption key in plaintext, which would leak to any log aggregator
  • Encrypt/decrypt used different GCM constructors (NewGCMWithNonceSize vs NewGCM) — functionally equivalent for 12-byte nonce today, but fragile if the constant ever
    changes
  • Error messages dumped full ciphertext which is noisy and unhelpful for debugging

More

  • Yes, this PR title follows Conventional Commits
  • Yes, I added unit tests
  • Yes, I updated end user documentation accordingly

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 14, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign szuecs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 14, 2026
@ivankatliarchuk ivankatliarchuk force-pushed the refactore-crypto branch 2 times, most recently from f387b71 to f387107 Compare February 14, 2026 11:54
@coveralls
Copy link

coveralls commented Feb 14, 2026
edited
Loading

Pull Request Test Coverage Report for Build 22016909606

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 15 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.009%) to 79.162%
Files with Coverage Reduction New Missed Lines %
crypto.go 15 67.9%
Totals Coverage Status
Change from base Build 21942518735: 0.009%
Covered Lines: 16039
Relevant Lines: 20261
💛 - Coveralls

@ivankatliarchuk
chore(endpoint): harden crypto
86155c4 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mloiseleur mloiseleur Awaiting requested review from mloiseleur

@vflaux vflaux Awaiting requested review from vflaux

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ivankatliarchuk @k8s-ci-robot @coveralls