Skip to content

Encrypt cache used by ske kubeconfig login #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marceljk merged 9 commits into from
Jan 22, 2026
Merged

Encrypt cache used by ske kubeconfig login #1244

marceljk merged 9 commits into from
Jan 22, 2026
+238 −46

Conversation

@MichaelEischer
Copy link
Contributor

@MichaelEischer MichaelEischer commented Jan 22, 2026

Description

ske kubeconfig login stores retrieved credentials on-disk in a cache. Those files should be handled like secrets but are too large to be stored in the keyring. Thus, just encrypt them with AES-GCM using a secret key that is stored in the keyring. The extra security provided by this is somewhat limited as someone who's able to read the cache entry is likely also able to call the stackit cli to retrieve the decrypted value. However, this encryption ensures consistent secret handling by being consistent with the normal access token that is also stored in the keyring.

There is no need for a migration of existing cache entries as the tokens there are short-lived and will be automatically refreshed if they cannot be read from the cache.

The go docs for cipher.NewGCMWithRandomNonce state that a key should only be used at most 2^32 times. This limit is unlikely to be ever reached, so I've opted for the simplest option and just refresh the key every 90 days, which is already more than enough. This also provides a good opportunity to clean up stale files in the cache.

Relates to STACKITSKE-4927

Checklist

  • Issue was linked above
  • Code format was applied: make fmt
  • Examples were added / adjusted (see e.g. here) not relevant
  • Docs are up-to-date: make generate-docs (will be checked by CI)
  • Unit tests got implemented or updated
  • Unit tests are passing: make test (will be checked by CI)
  • No linter issues: make lint (will be checked by CI)

@MichaelEischer MichaelEischer requested a review from a team as a code owner January 22, 2026 10:35
@marceljk marceljk merged commit 9069021 into stackitcloud:main Jan 22, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marceljk marceljk marceljk approved these changes

@cgoetz-inovex cgoetz-inovex cgoetz-inovex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MichaelEischer @marceljk @cgoetz-inovex