feat(portal): Encrypt third-party access tokens and other sensitive information at rest

[AndrewDryga]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
firezone	⬜️ Ignored (Inspect)	Visit Preview		Apr 29, 2024 10:57pm

[github-actions]

Terraform Cloud Plan Output

Plan: 15 to add, 15 to change, 15 to destroy.

Terraform Cloud Plan

[bmanifold]

I spun this up on my local machine and did a drop, create, migrate, seed on the DB to make sure it was in a good state and then just started the dev server like I always do iex -S mix.

I was able to add a new identity provider (MS EntraID) and saw that the fields in the DB appeared to be encrypted, however, when it tried to do a sync it threw an error:

[error] Error syncing provider
[error] GenServer #PID<0.1657.0> terminating
** (ArgumentError) cannot load `"eyJ0eXAiOiJKV1QiLCJub25jZSI6InVoUjRfblNPVC1CajljeExhdFlZNDVONU5OT2g5VVNQS2pPMkpIa0JaVEkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiIwM
....truncated the rest to save space"` as type Domain.Types.EncryptedString for field `access_token` in schema Domain.Auth.Adapters.MicrosoftEntra.ProviderState

Is there something different I should be doing when spinning up my local dev instance now?

[jamilbk]

@jamilbk

• Remember to update /kb/architecture/security-controls table with data at rest info from Add cloak_ecto #3861