Encryption: Fix securedata

Breaks every test that uses Encrypt or Decrypt

pkg/api/login.go

@@ -284,12 +284,12 @@ func tryGetEncryptedCookie(ctx *models.ReqContext, cookieName string) (string, b
 		return "", false
 	}
 
-	decryptedError, err := util.Decrypt(decoded, setting.SecretKey)
+	decryptedError, err := util.Decrypt(decoded)
 	return string(decryptedError), err == nil
 }
 
 func (hs *HTTPServer) trySetEncryptedCookie(ctx *models.ReqContext, cookieName string, value string, maxAge int) error {
-	encryptedError, err := util.Encrypt([]byte(value), setting.SecretKey)
+	encryptedError, err := util.Encrypt([]byte(value))
 	if err != nil {
 		return err
 	}

pkg/api/login_test.go

@@ -109,7 +109,7 @@ func TestLoginErrorCookieApiEndpoint(t *testing.T) {
 	setting.OAuthAutoLogin = true
 
 	oauthError := errors.New("User not a member of one of the required organizations")
-	encryptedError, _ := util.Encrypt([]byte(oauthError.Error()), setting.SecretKey)
+	encryptedError, _ := util.Encrypt([]byte(oauthError.Error()))
 	expCookiePath := "/"
 	if len(setting.AppSubUrl) > 0 {
 		expCookiePath = setting.AppSubUrl

pkg/api/pluginproxy/ds_proxy_test.go

@@ -75,7 +75,7 @@ func TestDSRouteRule(t *testing.T) {
 			}
 
 			setting.SecretKey = "password" //nolint:goconst
-			key, _ := util.Encrypt([]byte("123"), "password")
+			key, _ := util.Encrypt([]byte("123"))
 
 			ds := &models.DataSource{
 				JsonData: simplejson.NewFromAny(map[string]interface{}{
@@ -189,7 +189,7 @@ func TestDSRouteRule(t *testing.T) {
 			}
 
 			setting.SecretKey = "password"
-			key, _ := util.Encrypt([]byte("123"), "password")
+			key, _ := util.Encrypt([]byte("123"))
 
 			ds := &models.DataSource{
 				JsonData: simplejson.NewFromAny(map[string]interface{}{

pkg/api/pluginproxy/pluginproxy_test.go

@@ -23,7 +23,7 @@ func TestPluginProxy(t *testing.T) {
 		setting.SecretKey = "password"
 
 		bus.AddHandler("test", func(query *models.GetPluginSettingByIdQuery) error {
-			key, err := util.Encrypt([]byte("123"), "password")
+			key, err := util.Encrypt([]byte("123"))
 			if err != nil {
 				return err
 			}

pkg/cmd/grafana-cli/commands/datamigrations/encrypt_datasource_passwords.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/cmd/grafana-cli/utils"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
-	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/errutil"
 )
@@ -109,7 +108,7 @@ func updateRows(session *sqlstore.DBSession, rows []map[string][]byte, passwordF
 }
 
 func getUpdatedSecureJSONData(row map[string][]byte, passwordFieldName string) (map[string]interface{}, error) {
-	encryptedPassword, err := util.Encrypt(row[passwordFieldName], setting.SecretKey)
+	encryptedPassword, err := util.Encrypt(row[passwordFieldName])
 	if err != nil {
 		return nil, err
 	}

pkg/components/securedata/securedata.go

@@ -1,16 +1,15 @@
 package securedata
 
 import (
-	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
 
 type SecureData []byte
 
 func Encrypt(data []byte) (SecureData, error) {
-	return util.Encrypt(data, setting.SecretKey)
+	return util.Encrypt(data)
 }
 
 func (s SecureData) Decrypt() ([]byte, error) {
-	return util.Decrypt(s, setting.SecretKey)
+	return util.Decrypt(s)
 }

pkg/components/securejsondata/securejsondata.go

@@ -2,7 +2,6 @@ package securejsondata
 
 import (
 	"github.com/grafana/grafana/pkg/infra/log"
-	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
 
@@ -14,7 +13,7 @@ type SecureJsonData map[string][]byte
 // is true if the key exists and false if not.
 func (s SecureJsonData) DecryptedValue(key string) (string, bool) {
 	if value, ok := s[key]; ok {
-		decryptedData, err := util.Decrypt(value, setting.SecretKey)
+		decryptedData, err := util.Decrypt(value)
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}
@@ -28,7 +27,7 @@ func (s SecureJsonData) DecryptedValue(key string) (string, bool) {
 func (s SecureJsonData) Decrypt() map[string]string {
 	decrypted := make(map[string]string)
 	for key, data := range s {
-		decryptedData, err := util.Decrypt(data, setting.SecretKey)
+		decryptedData, err := util.Decrypt(data)
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}
@@ -38,11 +37,11 @@ func (s SecureJsonData) Decrypt() map[string]string {
 	return decrypted
 }
 
-// GetEncryptedJsonData returns map where all keys are encrypted.
+// GetEncryptedJsonData returns map where all values are encrypted.
 func GetEncryptedJsonData(sjd map[string]string) SecureJsonData {
 	encrypted := make(SecureJsonData)
 	for key, data := range sjd {
-		encryptedData, err := util.Encrypt([]byte(data), setting.SecretKey)
+		encryptedData, err := util.Encrypt([]byte(data))
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}

pkg/models/data_key.go

@@ -0,0 +1,19 @@
+package models
+
+import (
+	"errors"
+	"time"
+)
+
+var (
+	ErrDataKeyNotFound = errors.New("data key not found")
+)
+
+type DataKey struct {
+	Active        bool      `json:"active"`
+	Name          string    `json:"name"`
+	Provider      string    `json:"provider"`
+	EncryptedData []byte    `json:"-"`
+	Created       time.Time `json:"created"`
+	Updated       time.Time `json:"updated"`
+}

pkg/models/datasource_cache_test.go

@@ -54,7 +54,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuthWithCACert", true)
 
-		tlsCaCert, err := util.Encrypt([]byte(caCert), "password")
+		tlsCaCert, err := util.Encrypt([]byte(caCert))
 		So(err, ShouldBeNil)
 		ds := DataSource{
 			Id:             1,
@@ -96,9 +96,9 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuth", true)
 
-		tlsClientCert, err := util.Encrypt([]byte(clientCert), "password")
+		tlsClientCert, err := util.Encrypt([]byte(clientCert))
 		So(err, ShouldBeNil)
-		tlsClientKey, err := util.Encrypt([]byte(clientKey), "password")
+		tlsClientKey, err := util.Encrypt([]byte(clientKey))
 		So(err, ShouldBeNil)
 
 		ds := DataSource{
@@ -130,7 +130,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuthWithCACert", true)
 
-		tlsCaCert, err := util.Encrypt([]byte(caCert), "password")
+		tlsCaCert, err := util.Encrypt([]byte(caCert))
 		So(err, ShouldBeNil)
 
 		ds := DataSource{
@@ -179,7 +179,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.NewFromAny(map[string]interface{}{
 			"httpHeaderName1": "Authorization",
 		})
-		encryptedData, err := util.Encrypt([]byte(`Bearer xf5yhfkpsnmgo`), setting.SecretKey)
+		encryptedData, err := util.Encrypt([]byte(`Bearer xf5yhfkpsnmgo`))
 		if err != nil {
 			log.Fatal(err.Error())
 		}

pkg/server/server.go

@@ -39,6 +39,7 @@ import (
 	_ "github.com/grafana/grafana/pkg/services/provisioning"
 	_ "github.com/grafana/grafana/pkg/services/rendering"
 	_ "github.com/grafana/grafana/pkg/services/search"
+	_ "github.com/grafana/grafana/pkg/services/secrets"
 	_ "github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util/errutil"

pkg/services/secrets/encryption.go

@@ -0,0 +1,80 @@
+package secrets
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"errors"
+	"io"
+
+	"github.com/grafana/grafana/pkg/util"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const saltLength = 8
+
+// Decrypt decrypts a payload with a given secret.
+func decrypt(payload, secret []byte) ([]byte, error) {
+	salt := payload[:saltLength]
+	key, err := encryptionKeyToBytes(secret, salt)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// The IV needs to be unique, but not secure. Therefore it's common to
+	// include it at the beginning of the ciphertext.
+	if len(payload) < aes.BlockSize {
+		return nil, errors.New("payload too short")
+	}
+	iv := payload[saltLength : saltLength+aes.BlockSize]
+	payload = payload[saltLength+aes.BlockSize:]
+	payloadDst := make([]byte, len(payload))
+
+	stream := cipher.NewCFBDecrypter(block, iv)
+
+	// XORKeyStream can work in-place if the two arguments are the same.
+	stream.XORKeyStream(payloadDst, payload)
+	return payloadDst, nil
+}
+
+// Encrypt encrypts a payload with a given secret.
+func encrypt(payload, secret []byte) ([]byte, error) {
+	salt, err := util.GetRandomString(saltLength)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := encryptionKeyToBytes(secret, []byte(salt))
+	if err != nil {
+		return nil, err
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// The IV needs to be unique, but not secure. Therefore it's common to
+	// include it at the beginning of the ciphertext.
+	ciphertext := make([]byte, saltLength+aes.BlockSize+len(payload))
+	copy(ciphertext[:saltLength], salt)
+	iv := ciphertext[saltLength : saltLength+aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[saltLength+aes.BlockSize:], payload)
+
+	return ciphertext, nil
+}
+
+// Key needs to be 32bytes
+func encryptionKeyToBytes(secret, salt []byte) ([]byte, error) {
+	return pbkdf2.Key(secret, salt, 10000, 32, sha256.New), nil
+}

pkg/services/secrets/encryption_test.go

@@ -0,0 +1,40 @@
+package secrets
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEncryption_keyDerivationLength(t *testing.T) {
+	salt := []byte("salt")
+
+	tests := []struct {
+		secret []byte
+		salt   []byte
+	}{
+		{[]byte("secret"), salt},
+		{[]byte("a very long secret key that is larger then 32bytes"), salt},
+	}
+
+	for i, tc := range tests {
+		tc := tc
+		t.Run(fmt.Sprintf("deriving key #%d", i), func(t *testing.T) {
+			key, err := encryptionKeyToBytes(tc.secret, tc.salt)
+			require.NoError(t, err)
+			assert.Len(t, key, 32)
+		})
+	}
+}
+
+func TestEncryption_basic(t *testing.T) {
+	encrypted, err := encrypt([]byte("grafana"), []byte("1234"))
+	require.NoError(t, err)
+
+	decrypted, err := decrypt(encrypted, []byte("1234"))
+	require.NoError(t, err)
+
+	assert.Equal(t, []byte("grafana"), decrypted)
+}

pkg/services/secrets/secretkey.go

@@ -0,0 +1,13 @@
+package secrets
+
+type secretKey struct {
+	key func() []byte
+}
+
+func (s *secretKey) Encrypt(blob []byte) ([]byte, error) {
+	return encrypt(blob, s.key())
+}
+
+func (s *secretKey) Decrypt(blob []byte) ([]byte, error) {
+	return decrypt(blob, s.key())
+}

pkg/services/secrets/secrets.go

@@ -0,0 +1,196 @@
+package secrets
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/grafana/grafana/pkg/util"
+
+	"github.com/grafana/grafana/pkg/bus"
+
+	"github.com/grafana/grafana/pkg/models"
+
+	"github.com/grafana/grafana/pkg/services/sqlstore"
+
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+var logger = log.New("secrets")
+
+type Secrets struct {
+	store *sqlstore.SqlStore `inject:""`
+	bus   bus.Bus            `inject:""`
+
+	defaultEncryptionKey string
+	defaultProvider      string
+	providers            map[string]Provider
+	dataKeyCache         map[string]dataKeyCacheItem
+}
+
+type dataKeyCacheItem struct {
+	expiry  time.Time
+	dataKey []byte
+}
+
+type Provider interface {
+	Encrypt(blob []byte) ([]byte, error)
+	Decrypt(blob []byte) ([]byte, error)
+}
+
+func (s *Secrets) Init() error {
+	s.providers = map[string]Provider{
+		"": &secretKey{
+			key: func() []byte {
+				return []byte(setting.SecretKey)
+			},
+		},
+	}
+
+	base_key := "root"
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	_, err := s.store.GetDataKey(ctx, base_key)
+	if err != nil {
+		if errors.Is(err, models.ErrDataKeyNotFound) {
+			err = s.newRandomDataKey(ctx, base_key)
+			if err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+
+	util.Encrypt = s.Encrypt
+	util.Decrypt = s.Decrypt
+
+	return nil
+}
+
+func (s *Secrets) newRandomDataKey(ctx context.Context, base_key string) error {
+	b := make([]byte, 16)
+	_, err := rand.Read(b)
+	if err != nil {
+		return err
+	}
+
+	encrypted, err := s.Encrypt(b)
+	if err != nil {
+		return err
+	}
+
+	err = s.store.CreateDataKey(ctx, models.DataKey{
+		Active:        true,
+		Name:          base_key,
+		Provider:      s.defaultProvider,
+		EncryptedData: encrypted,
+	})
+	return nil
+}
+
+var b64 = base64.RawStdEncoding
+
+func (s *Secrets) Encrypt(payload []byte) ([]byte, error) {
+	key := s.defaultEncryptionKey
+
+	dataKey, err := s.dataKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	encrypted, err := encrypt(payload, dataKey)
+	if err != nil {
+		return nil, err
+	}
+
+	prefix := make([]byte, b64.EncodedLen(len(key))+2)
+	b64.Encode(prefix[1:], []byte(key))
+	prefix[0] = '#'
+	prefix[len(prefix)-1] = '#'
+
+	blob := make([]byte, len(prefix)+len(encrypted))
+	copy(blob, prefix)
+	copy(blob[len(prefix):], encrypted)
+
+	return blob, nil
+}
+
+func (s *Secrets) Decrypt(payload []byte) ([]byte, error) {
+	if len(payload) == 0 {
+		return []byte{}, nil
+	}
+
+	var dataKey []byte
+
+	if payload[0] != '#' {
+		dataKey = []byte(setting.SecretKey)
+	} else {
+		payload = payload[1:]
+		endOfKey := bytes.Index(payload, []byte{'#'})
+		if endOfKey == -1 {
+			return nil, fmt.Errorf("could not find valid key in encrypted payload")
+		}
+		b64Key := payload[:endOfKey]
+		payload = payload[endOfKey+1:]
+		key := make([]byte, b64.DecodedLen(len(b64Key)))
+		_, err := b64.Decode(key, b64Key)
+		if err != nil {
+			return nil, err
+		}
+
+		dataKey, err = s.dataKey(string(key))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return decrypt(payload, dataKey)
+}
+
+func (s *Secrets) dataKey(key string) ([]byte, error) {
+	if key == "" {
+		return []byte(setting.SecretKey), nil
+	}
+
+	if item, exists := s.dataKeyCache[key]; exists {
+		if item.expiry.Before(time.Now()) && !item.expiry.IsZero() {
+			delete(s.dataKeyCache, key)
+		} else {
+			return item.dataKey, nil
+		}
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	// 1. get encrypted data key from database
+	dataKey, err := s.store.GetDataKey(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. decrypt data key
+	provider, exists := s.providers[dataKey.Provider]
+	if !exists {
+		return nil, fmt.Errorf("could not find encryption provider '%s'", dataKey.Provider)
+	}
+
+	decrypted, err := provider.Decrypt(dataKey.EncryptedData)
+	if err != nil {
+		return nil, err
+	}
+
+	// 3. cache data key
+	s.dataKeyCache[key] = dataKeyCacheItem{
+		expiry:  time.Now().Add(15 * time.Minute),
+		dataKey: decrypted,
+	}
+
+	return decrypted, nil
+}

pkg/services/secrets/secrets_test.go

@@ -0,0 +1,45 @@
+package secrets
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/services/sqlstore"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+func TestSecrets_Encrypt(t *testing.T) {
+	s := Secrets{
+		store: sqlstore.InitTestDB(t),
+	}
+
+	require.NoError(t, s.Init())
+
+	{
+		old := setting.SecretKey
+		defer func() {
+			setting.SecretKey = old
+		}()
+		setting.SecretKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+	}
+
+	plaintexts := [][]byte{
+		{},
+		[]byte("hello, world"),
+	}
+
+	for _, plaintext := range plaintexts {
+		t.Run(fmt.Sprintf("encrypting and decrypting %s", string(plaintext)), func(t *testing.T) {
+			encrypted, err := s.Encrypt(plaintext)
+			require.NoError(t, err)
+			decrypted, err := s.Decrypt(encrypted)
+			require.NoError(t, err)
+
+			assert.Equal(t, plaintext, decrypted)
+		})
+	}
+}

pkg/services/sqlstore/data_keys.go

@@ -0,0 +1,48 @@
+package sqlstore
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/grafana/grafana/pkg/models"
+	"xorm.io/xorm"
+)
+
+const dataKeysTable = "data_keys"
+
+func (ss *SqlStore) GetDataKey(ctx context.Context, name string) (*models.DataKey, error) {
+	return getDataKey(ctx, name, ss.engine)
+}
+
+func (ss *SqlStore) CreateDataKey(ctx context.Context, dataKey models.DataKey) error {
+	dataKey.Created = time.Now()
+	dataKey.Updated = dataKey.Created
+
+	if !dataKey.Active {
+		return fmt.Errorf("cannot insert deactivated data keys")
+	}
+
+	_, err := ss.engine.Context(ctx).Table(dataKeysTable).InsertOne(dataKey)
+	return err
+}
+
+func (ss *SqlStore) DeleteDataKey(ctx context.Context, name string) error {
+	_, err := ss.engine.Context(ctx).Table(dataKeysTable).Delete(models.DataKey{Name: name})
+	return err
+}
+
+func getDataKey(ctx context.Context, name string, engine *xorm.Engine) (*models.DataKey, error) {
+	dataKey := &models.DataKey{Name: name, Active: true}
+	exists, err := engine.Context(ctx).Table(dataKeysTable).Get(dataKey)
+
+	if err != nil {
+		sqlog.Error("Failed getting data key", "err", err, "name", name)
+		return nil, fmt.Errorf("failed getting data key: %w", err)
+	}
+	if !exists {
+		return nil, models.ErrDataKeyNotFound
+	}
+
+	return dataKey, nil
+}

pkg/services/sqlstore/data_keys_test.go

@@ -0,0 +1,44 @@
+package sqlstore
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/grafana/grafana/pkg/models"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDataKeys(t *testing.T) {
+	db := InitTestDB(t)
+	ctx := context.Background()
+
+	dataKey := models.DataKey{
+		Active:        true,
+		Name:          "Testing",
+		Provider:      "test",
+		EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},
+	}
+
+	res, err := db.GetDataKey(ctx, dataKey.Name)
+	assert.Equal(t, models.ErrDataKeyNotFound, err)
+	assert.Nil(t, res)
+
+	err = db.CreateDataKey(ctx, dataKey)
+	require.NoError(t, err)
+
+	res, err = db.GetDataKey(ctx, dataKey.Name)
+	require.NoError(t, err)
+	assert.Equal(t, dataKey.EncryptedData, res.EncryptedData)
+	assert.Equal(t, dataKey.Provider, res.Provider)
+	assert.Equal(t, dataKey.Name, res.Name)
+	assert.True(t, dataKey.Active)
+
+	err = db.DeleteDataKey(ctx, dataKey.Name)
+	require.NoError(t, err)
+
+	res, err = db.GetDataKey(ctx, dataKey.Name)
+	assert.Equal(t, models.ErrDataKeyNotFound, err)
+	assert.Nil(t, res)
+}

pkg/services/sqlstore/migrations/data_keys_mig.go

@@ -0,0 +1,20 @@
+package migrations
+
+import "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
+
+func addDataKeysMigrations(mg *migrator.Migrator) {
+	dataKeysV1 := migrator.Table{
+		Name: "data_keys",
+		Columns: []*migrator.Column{
+			{Name: "name", Type: migrator.DB_NVarchar, Length: 50, IsPrimaryKey: true},
+			{Name: "active", Type: migrator.DB_Bool},
+			{Name: "provider", Type: migrator.DB_NVarchar, Length: 50, Nullable: true},
+			{Name: "encrypted_data", Type: migrator.DB_Blob, Nullable: false},
+			{Name: "created", Type: migrator.DB_DateTime, Nullable: false},
+			{Name: "updated", Type: migrator.DB_DateTime, Nullable: false},
+		},
+		Indices: []*migrator.Index{},
+	}
+
+	mg.AddMigration("create data keys table", migrator.NewAddTableMigration(dataKeysV1))
+}

pkg/services/sqlstore/migrations/migrations.go

@@ -35,6 +35,7 @@ func AddMigrations(mg *Migrator) {
 	addUserAuthTokenMigrations(mg)
 	addCacheMigration(mg)
 	addShortURLMigrations(mg)
+	addDataKeysMigrations(mg)
 }
 
 func addMigrationLogMigrations(mg *Migrator) {

pkg/services/sqlstore/plugin_setting.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
 
@@ -77,7 +76,7 @@ func UpdatePluginSetting(cmd *models.UpdatePluginSettingCmd) error {
 			return err
 		}
 		for key, data := range cmd.SecureJsonData {
-			encryptedData, err := util.Encrypt([]byte(data), setting.SecretKey)
+			encryptedData, err := util.Encrypt([]byte(data))
 			if err != nil {
 				return err
 			}

pkg/services/sqlstore/user_auth.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
 
@@ -265,7 +264,7 @@ func decodeAndDecrypt(s string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	decrypted, err := util.Decrypt(decoded, setting.SecretKey)
+	decrypted, err := util.Decrypt(decoded)
 	if err != nil {
 		return "", err
 	}
@@ -275,7 +274,7 @@ func decodeAndDecrypt(s string) (string, error) {
 // encryptAndEncode will encrypt a string with grafana's secretKey, and
 // then encode it with the standard bas64 encoder
 func encryptAndEncode(s string) (string, error) {
-	encrypted, err := util.Encrypt([]byte(s), setting.SecretKey)
+	encrypted, err := util.Encrypt([]byte(s))
 	if err != nil {
 		return "", err
 	}

pkg/util/encryption.go

@@ -1,79 +1,19 @@
 package util
 
 import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/sha256"
 	"errors"
-	"io"
-
-	"golang.org/x/crypto/pbkdf2"
 )
 
-const saltLength = 8
+var ErrNotInitialized = errors.New("function is not initialized")
 
 // Decrypt decrypts a payload with a given secret.
-func Decrypt(payload []byte, secret string) ([]byte, error) {
+// Real implementation in github.com/grafana/grafana/pkg/services/secrets
-	salt := payload[:saltLength]
+var Decrypt = func(_ []byte) ([]byte, error) {
-	key, err := encryptionKeyToBytes(secret, string(salt))
+	return nil, ErrNotInitialized
-	if err != nil {
-		return nil, err
-	}
-
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// The IV needs to be unique, but not secure. Therefore it's common to
-	// include it at the beginning of the ciphertext.
-	if len(payload) < aes.BlockSize {
-		return nil, errors.New("payload too short")
-	}
-	iv := payload[saltLength : saltLength+aes.BlockSize]
-	payload = payload[saltLength+aes.BlockSize:]
-	payloadDst := make([]byte, len(payload))
-
-	stream := cipher.NewCFBDecrypter(block, iv)
-
-	// XORKeyStream can work in-place if the two arguments are the same.
-	stream.XORKeyStream(payloadDst, payload)
-	return payloadDst, nil
 }
 
 // Encrypt encrypts a payload with a given secret.
-func Encrypt(payload []byte, secret string) ([]byte, error) {
+// Real implementation in github.com/grafana/grafana/pkg/services/secrets
-	salt, err := GetRandomString(saltLength)
+var Encrypt = func(_ []byte) ([]byte, error) {
-	if err != nil {
+	return nil, ErrNotInitialized
-		return nil, err
-	}
-
-	key, err := encryptionKeyToBytes(secret, salt)
-	if err != nil {
-		return nil, err
-	}
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// The IV needs to be unique, but not secure. Therefore it's common to
-	// include it at the beginning of the ciphertext.
-	ciphertext := make([]byte, saltLength+aes.BlockSize+len(payload))
-	copy(ciphertext[:saltLength], salt)
-	iv := ciphertext[saltLength : saltLength+aes.BlockSize]
-	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
-		return nil, err
-	}
-
-	stream := cipher.NewCFBEncrypter(block, iv)
-	stream.XORKeyStream(ciphertext[saltLength+aes.BlockSize:], payload)
-
-	return ciphertext, nil
-}
-
-// Key needs to be 32bytes
-func encryptionKeyToBytes(secret, salt string) ([]byte, error) {
-	return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
 }

pkg/util/encryption_test.go

@@ -1,30 +0,0 @@
-package util
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestEncryption(t *testing.T) {
-	t.Run("getting encryption key", func(t *testing.T) {
-		key, err := encryptionKeyToBytes("secret", "salt")
-		require.NoError(t, err)
-		assert.Len(t, key, 32)
-
-		key, err = encryptionKeyToBytes("a very long secret key that is larger then 32bytes", "salt")
-		require.NoError(t, err)
-		assert.Len(t, key, 32)
-	})
-
-	t.Run("decrypting basic payload", func(t *testing.T) {
-		encrypted, err := Encrypt([]byte("grafana"), "1234")
-		require.NoError(t, err)
-
-		decrypted, err := Decrypt(encrypted, "1234")
-		require.NoError(t, err)
-
-		assert.Equal(t, []byte("grafana"), decrypted)
-	})
-}