feat: Verify passphrase before provision new one

adskyiproger · adskyiproger · commit bf9fc58b6dc6 · 2025-11-05T15:53:28.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 ### Improvements
 
 - Make encryption step optional [#1123](https://github.com/opencrvs/opencrvs-countryconfig/pull/1123)
+- Added validation for ENCRYPTION_KEY [#10896](https://github.com/opencrvs/opencrvs-core/issues/10896)
 
 ## 1.9.0
 
diff --git a/infrastructure/server-setup/playbook.yml b/infrastructure/server-setup/playbook.yml
@@ -114,6 +114,16 @@
       tags:
         - data-partition
 
+    - include_tasks:
+        file: tasks/validate-data-partition.yml
+        apply:
+          tags:
+            - data-partition
+            - decrypt-on-boot
+      tags:
+        - data-partition
+        - decrypt-on-boot
+
     - include_tasks:
         file: tasks/swap.yml
         apply:
diff --git a/infrastructure/server-setup/tasks/decrypt-on-boot.yml b/infrastructure/server-setup/tasks/decrypt-on-boot.yml
@@ -1,3 +1,32 @@
+
+- name: 'Register encrypted file system'
+  stat:
+    path: /cryptfs_file_sparse.img
+    get_checksum: False
+  register: encryptedFileSystemPostCheck
+  when: disk_encryption_key is defined
+
+- name: Check if Disk encryption key file exists
+  ansible.builtin.stat:
+    path: "/root/disk-encryption-key.txt"
+  register: encryption_keyfile_stat
+  when: disk_encryption_key is defined
+
+- name: Read existing Disk encryption key
+  ansible.builtin.slurp:
+    src: "/root/disk-encryption-key.txt"
+  register: existing_disk_encryption_key
+  when:
+    - disk_encryption_key is defined
+    - encryption_keyfile_stat.stat.exists
+
+- name: Fail if key exists and differs
+  ansible.builtin.fail:
+    msg: "Disk encryption key on disk does not match ansible variable! GitHub secret ENCRYPTION_KEY was updated!"
+  when:
+    - encryption_keyfile_stat.stat.exists
+    - existing_disk_encryption_key['content'] | b64decode != ("DISK_ENCRYPTION_KEY=" ~ disk_encryption_key ~ "\n")
+
 - name: Save disk encryption key into a file as an example (in production use a hardware security module)
   when: disk_encryption_key is defined
   ansible.builtin.copy:
diff --git a/infrastructure/server-setup/tasks/validate-data-partition.yml b/infrastructure/server-setup/tasks/validate-data-partition.yml
@@ -0,0 +1,26 @@
+- name: Verify LUKS disk encryption key
+  when: disk_encryption_key is defined
+  block:
+    - name: Backup LUKS header
+      shell: |
+        loop_device=$(losetup -j /cryptfs_file_sparse.img | cut -d: -f1)
+        rm -vf /tmp/luks-header.img
+        cryptsetup luksHeaderBackup $loop_device --header-backup-file /tmp/luks-header.img
+
+    - name: Test disk encryption key for LUKS header
+      when: disk_encryption_key is defined
+      shell: 'echo "{{ disk_encryption_key }}" | cryptsetup -d - luksOpen /tmp/luks-header.img test --test-passphrase'
+      register: luks_test
+
+    - name: Display success message
+      debug:
+        msg: "✓ LUKS passphrase test successful - the disk encryption key is valid: {{ luks_test.stdout }}"
+  rescue:
+    - name: DO NOT REBOOT the SERVER
+      fail:
+        msg: |
+          {% if luks_test.rc == 2 and 'No key available with this passphrase' in luks_test.stderr -%}
+          LUKS passphrase test failed: Please make sure your key in GitHub secret is correct. Otherwise system will not be able to decrypt /data. MAKE SURE DATA BACKUP IS RESTORABLE BEFORE SERVER REBOOT.
+          {%- else -%}
+          cryptsetup error (RC: {{ luks_test.rc }}) - {{ luks_test.stderr | default('Unknown error') }}
+          {%- endif %}
