feat: Verify passphrase before provision new one

adskyiproger · adskyiproger · commit 59f0ced68a5d · 2025-11-05T16:08:44.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 ### Improvements
 
 - Make encryption step optional [#1123](https://github.com/opencrvs/opencrvs-countryconfig/pull/1123)
+- Added validation for ENCRYPTION_KEY [#10896](https://github.com/opencrvs/opencrvs-core/issues/10896)
 
 ## 1.9.0
 
diff --git a/infrastructure/server-setup/playbook.yml b/infrastructure/server-setup/playbook.yml
@@ -114,6 +114,16 @@
       tags:
         - data-partition
 
+    - include_tasks:
+        file: tasks/validate-data-partition.yml
+        apply:
+          tags:
+            - data-partition
+            - decrypt-on-boot
+      tags:
+        - data-partition
+        - decrypt-on-boot
+
     - include_tasks:
         file: tasks/swap.yml
         apply:
diff --git a/infrastructure/server-setup/tasks/decrypt-on-boot.yml b/infrastructure/server-setup/tasks/decrypt-on-boot.yml
@@ -1,4 +1,38 @@
-- name: Save disk encryption key into a file as an example (in production use a hardware security module)
+- name: Ensure 'cryptsetup' utility is installed
+  ansible.builtin.package:
+    name: cryptsetup
+    state: present
+  when: disk_encryption_key is defined
+
+- name: 'Register encrypted file system'
+  stat:
+    path: /cryptfs_file_sparse.img
+    get_checksum: False
+  register: encryptedFileSystemPostCheck
+  when: disk_encryption_key is defined
+
+- name: Check if Disk encryption key file exists
+  ansible.builtin.stat:
+    path: /root/disk-encryption-key.txt
+  register: encryption_keyfile_stat
+  when: disk_encryption_key is defined
+
+- name: Read existing Disk encryption key
+  ansible.builtin.slurp:
+    src: /root/disk-encryption-key.txt
+  register: existing_disk_encryption_key
+  when:
+    - disk_encryption_key is defined
+    - encryption_keyfile_stat.stat.exists
+
+- name: Fail if key exists and differs
+  ansible.builtin.fail:
+    msg: "Disk encryption key on disk does not match ansible variable! GitHub secret ENCRYPTION_KEY was updated!"
+  when:
+    - encryption_keyfile_stat.stat.exists
+    - existing_disk_encryption_key['content'] | b64decode != ("DISK_ENCRYPTION_KEY=" ~ disk_encryption_key ~ "\n")
+
+- name: Save disk encryption key into a file
   when: disk_encryption_key is defined
   ansible.builtin.copy:
     dest: /root/disk-encryption-key.txt
@@ -8,6 +42,23 @@
     content: |
       DISK_ENCRYPTION_KEY={{ disk_encryption_key }}
 
+- name: Ensure destination directory exists
+  ansible.builtin.file:
+    path: /opt/opencrvs/scripts/cryptfs
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+    recurse: yes
+
+- name: Install k8s-help script
+  copy:
+    src: ../cryptfs/decrypt.sh
+    dest: "/opt/opencrvs/scripts/cryptfs/decrypt.sh"
+    owner: "{{ ansible_user }}"
+    group: 'application'
+    mode: '0755'
+
 - name: Copy reboot.service systemd file. Must decrypt disk on reboot
   ansible.builtin.copy:
     dest: /etc/systemd/system/reboot.service
@@ -19,7 +70,7 @@
       Description=Mount encrypted dir
 
       [Service]
-      ExecStart=bash /opt/opencrvs/infrastructure/cryptfs/decrypt.sh -key /root/disk-encryption-key.txt >> /var/log/cryptfs-reboot.log 2>&1
+      ExecStart=bash /opt/opencrvs/scripts/cryptfs/decrypt.sh -key /root/disk-encryption-key.txt >> /var/log/cryptfs-reboot.log 2>&1
 
       [Install]
       WantedBy=multi-user.target
@@ -28,7 +79,6 @@
    - encryptedFileSystemPostCheck.stat.exists
 
 - name: 'Setup systemd to mount encrypted folder'
-  when: disk_encryption_key is defined
   shell: systemctl daemon-reload && systemctl enable reboot.service
   when:
     - disk_encryption_key is defined
diff --git a/infrastructure/server-setup/tasks/validate-data-partition.yml b/infrastructure/server-setup/tasks/validate-data-partition.yml
@@ -0,0 +1,26 @@
+- name: Verify LUKS disk encryption key
+  when: disk_encryption_key is defined
+  block:
+    - name: Backup LUKS header
+      shell: |
+        loop_device=$(losetup -j /cryptfs_file_sparse.img | cut -d: -f1)
+        rm -vf /tmp/luks-header.img
+        cryptsetup luksHeaderBackup $loop_device --header-backup-file /tmp/luks-header.img
+
+    - name: Test disk encryption key for LUKS header
+      when: disk_encryption_key is defined
+      shell: 'echo "{{ disk_encryption_key }}" | cryptsetup -d - luksOpen /tmp/luks-header.img test --test-passphrase'
+      register: luks_test
+
+    - name: Display success message
+      debug:
+        msg: "✓ LUKS passphrase test successful - the disk encryption key is valid: {{ luks_test.stdout }}"
+  rescue:
+    - name: DO NOT REBOOT the SERVER
+      fail:
+        msg: |
+          {% if luks_test.rc == 2 and 'No key available with this passphrase' in luks_test.stderr -%}
+          LUKS passphrase test failed: Please make sure your key in GitHub secret is correct. Otherwise system will not be able to decrypt /data. MAKE SURE DATA BACKUP IS RESTORABLE BEFORE SERVER REBOOT.
+          {%- else -%}
+          cryptsetup error (RC: {{ luks_test.rc }}) - {{ luks_test.stderr | default('Unknown error') }}
+          {%- endif %}
