From 1ffaa7a367dcd71ad896fee31facad6b6ead471e Mon Sep 17 00:00:00 2001 From: Victor Santos Date: Thu, 20 Nov 2025 14:54:28 -0300 Subject: [PATCH 1/4] chore: update .env.example with new ROOT_ENCRYPTION_KEY and adjust kms-service to prioritize it --- .env.example | 6 +++++- backend/src/lib/crypto/cryptography/crypto.ts | 11 ++++++----- backend/src/services/kms/kms-service.ts | 4 ++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/.env.example b/.env.example index f67488c23e..d9d560fa8e 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,11 @@ # Keys # Required key for platform encryption/decryption ops # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION -ENCRYPTION_KEY=VVHnGZ0w98WLgISK4XSJcagezuG6EWRFTk48KE4Y5Mw= +ENCRYPTION_KEY=f13dbc92aaaf86fa7cb0ed8ac3265f47 + +# Used for compatibility with the FIPS image +# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION +ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA= # JWT # Required secrets to sign JWT tokens diff --git a/backend/src/lib/crypto/cryptography/crypto.ts b/backend/src/lib/crypto/cryptography/crypto.ts index 6e2a157407..9456b45549 100644 --- a/backend/src/lib/crypto/cryptography/crypto.ts +++ b/backend/src/lib/crypto/cryptography/crypto.ts @@ -17,7 +17,6 @@ import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types"; import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal"; import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service"; -import { isBase64 } from "../../base64"; import { getConfig, TEnvConfig } from "../../config/env"; import { CryptographyError } from "../../errors"; import { logger } from "../../logger"; @@ -114,7 +113,7 @@ const cryptographyFactory = () => { enabled: boolean, hsmService: THsmServiceFactory, kmsRootConfigDAL: TKmsRootConfigDALFactory, - envCfg?: Pick + envCfg?: Pick ) => { // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key. if (enabled) { @@ -135,18 +134,20 @@ const cryptographyFactory = () => { // only perform encryption key validation if it's actually required. if (needsEncryptionKey) { - if (appCfg.ENCRYPTION_KEY) { + const encryptionKey = appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY; + + if (encryptionKey) { // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key // note(daniel): for some reason this resolves as true for some hex-encoded strings. - if (!isBase64(appCfg.ENCRYPTION_KEY)) { + if (!encryptionKey) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" }); } - if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) { + if (bytesToBits(Buffer.from(encryptionKey, "base64").length) !== 256) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" diff --git a/backend/src/services/kms/kms-service.ts b/backend/src/services/kms/kms-service.ts index 8f868978da..8ef071dd80 100644 --- a/backend/src/services/kms/kms-service.ts +++ b/backend/src/services/kms/kms-service.ts @@ -828,9 +828,9 @@ export const kmsServiceFactory = ({ }; const $getBasicEncryptionKey = () => { - const encryptionKey = envConfig.ENCRYPTION_KEY || envConfig.ROOT_ENCRYPTION_KEY; + const encryptionKey = envConfig.ROOT_ENCRYPTION_KEY || envConfig.ENCRYPTION_KEY; - const isBase64 = !envConfig.ENCRYPTION_KEY; + const isBase64 = envConfig.ROOT_ENCRYPTION_KEY; if (!encryptionKey) throw new Error( "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?" From 29af0418f764598dcda52dfbc355157634287b48 Mon Sep 17 00:00:00 2001 From: Victor Santos Date: Thu, 11 Dec 2025 12:31:24 -0300 Subject: [PATCH 2/4] chore: add .env.dev.example file for development environment configuration --- .env.dev.example | 150 ++++++++++++++++++ .env.example | 4 - README.md | 4 +- backend/src/lib/crypto/cryptography/crypto.ts | 11 +- backend/src/services/kms/kms-service.ts | 4 +- docs/contributing/platform/developing.mdx | 2 +- 6 files changed, 160 insertions(+), 15 deletions(-) create mode 100644 .env.dev.example diff --git a/.env.dev.example b/.env.dev.example new file mode 100644 index 0000000000..f67488c23e --- /dev/null +++ b/.env.dev.example @@ -0,0 +1,150 @@ +# Keys +# Required key for platform encryption/decryption ops +# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION +ENCRYPTION_KEY=VVHnGZ0w98WLgISK4XSJcagezuG6EWRFTk48KE4Y5Mw= + +# JWT +# Required secrets to sign JWT tokens +# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION +AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE= + +# Postgres creds +POSTGRES_PASSWORD=infisical +POSTGRES_USER=infisical +POSTGRES_DB=infisical + +# Required +DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB} + +# Redis +REDIS_URL=redis://redis:6379 + +# Website URL +# Required +SITE_URL=http://localhost:8080 + +# Mail/SMTP +SMTP_HOST= +SMTP_PORT= +SMTP_FROM_ADDRESS= +SMTP_FROM_NAME= +SMTP_USERNAME= +SMTP_PASSWORD= + +# Integration +# Optional only if integration is used +CLIENT_ID_HEROKU= +CLIENT_ID_VERCEL= +CLIENT_ID_NETLIFY= +CLIENT_ID_GITHUB= +CLIENT_ID_GITHUB_APP= +CLIENT_SLUG_GITHUB_APP= +CLIENT_ID_GITLAB= +CLIENT_ID_BITBUCKET= +CLIENT_SECRET_HEROKU= +CLIENT_SECRET_VERCEL= +CLIENT_SECRET_NETLIFY= +CLIENT_SECRET_GITHUB= +CLIENT_SECRET_GITHUB_APP= +CLIENT_SECRET_GITLAB= +CLIENT_SECRET_BITBUCKET= +CLIENT_SLUG_VERCEL= + +CLIENT_PRIVATE_KEY_GITHUB_APP= +CLIENT_APP_ID_GITHUB_APP= + +# Sentry (optional) for monitoring errors +SENTRY_DSN= + +# Infisical Cloud-specific configs +# Ignore - Not applicable for self-hosted version +POSTHOG_HOST= +POSTHOG_PROJECT_API_KEY= + +# SSO-specific variables +CLIENT_ID_GOOGLE_LOGIN= +CLIENT_SECRET_GOOGLE_LOGIN= + +CLIENT_ID_GITHUB_LOGIN= +CLIENT_SECRET_GITHUB_LOGIN= + +CLIENT_ID_GITLAB_LOGIN= +CLIENT_SECRET_GITLAB_LOGIN= + +CAPTCHA_SECRET= + +NEXT_PUBLIC_CAPTCHA_SITE_KEY= + +OTEL_TELEMETRY_COLLECTION_ENABLED=false +OTEL_EXPORT_TYPE=prometheus +OTEL_EXPORT_OTLP_ENDPOINT= +OTEL_OTLP_PUSH_INTERVAL= + +OTEL_COLLECTOR_BASIC_AUTH_USERNAME= +OTEL_COLLECTOR_BASIC_AUTH_PASSWORD= + +PLAIN_API_KEY= +PLAIN_WISH_LABEL_IDS= + +SSL_CLIENT_CERTIFICATE_HEADER_KEY= + +ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true + +# App Connections + +# aws assume-role connection +INF_APP_CONNECTION_AWS_ACCESS_KEY_ID= +INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY= + +# github oauth connection +INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID= +INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET= + +#github app connection +INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID= +INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET= +INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY= +INF_APP_CONNECTION_GITHUB_APP_SLUG= +INF_APP_CONNECTION_GITHUB_APP_ID= + +#gitlab app connection +INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID= +INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET= + +#github radar app connection +INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID= +INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET= +INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY= +INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG= +INF_APP_CONNECTION_GITHUB_RADAR_APP_ID= +INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET= + +#gcp app connection +INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL= + +# azure app connections +INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID= +INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET= + +INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID= +INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET= + +INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID= +INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET= + +INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID= +INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET= + +# heroku app connection +INF_APP_CONNECTION_HEROKU_OAUTH_CLIENT_ID= +INF_APP_CONNECTION_HEROKU_OAUTH_CLIENT_SECRET= + +# datadog +SHOULD_USE_DATADOG_TRACER= +DATADOG_PROFILING_ENABLED= +DATADOG_ENV= +DATADOG_SERVICE= +DATADOG_HOSTNAME= + +# kubernetes +KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false diff --git a/.env.example b/.env.example index d9d560fa8e..8cb5bf6833 100644 --- a/.env.example +++ b/.env.example @@ -3,10 +3,6 @@ # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION ENCRYPTION_KEY=f13dbc92aaaf86fa7cb0ed8ac3265f47 -# Used for compatibility with the FIPS image -# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION -ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA= - # JWT # Required secrets to sign JWT tokens # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION diff --git a/README.md b/README.md index 1a44117a49..6a46a1f5b7 100644 --- a/README.md +++ b/README.md @@ -100,13 +100,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed Linux/macOS: ```console -git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up +git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.dev.example .env && docker compose -f docker-compose.prod.yml up ``` Windows Command Prompt: ```console -git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up +git clone https://github.com/Infisical/infisical && cd infisical && copy .env.dev.example .env && docker compose -f docker-compose.prod.yml up ``` Create an account at `http://localhost:80` diff --git a/backend/src/lib/crypto/cryptography/crypto.ts b/backend/src/lib/crypto/cryptography/crypto.ts index 9456b45549..6e2a157407 100644 --- a/backend/src/lib/crypto/cryptography/crypto.ts +++ b/backend/src/lib/crypto/cryptography/crypto.ts @@ -17,6 +17,7 @@ import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types"; import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal"; import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service"; +import { isBase64 } from "../../base64"; import { getConfig, TEnvConfig } from "../../config/env"; import { CryptographyError } from "../../errors"; import { logger } from "../../logger"; @@ -113,7 +114,7 @@ const cryptographyFactory = () => { enabled: boolean, hsmService: THsmServiceFactory, kmsRootConfigDAL: TKmsRootConfigDALFactory, - envCfg?: Pick + envCfg?: Pick ) => { // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key. if (enabled) { @@ -134,20 +135,18 @@ const cryptographyFactory = () => { // only perform encryption key validation if it's actually required. if (needsEncryptionKey) { - const encryptionKey = appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY; - - if (encryptionKey) { + if (appCfg.ENCRYPTION_KEY) { // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key // note(daniel): for some reason this resolves as true for some hex-encoded strings. - if (!encryptionKey) { + if (!isBase64(appCfg.ENCRYPTION_KEY)) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" }); } - if (bytesToBits(Buffer.from(encryptionKey, "base64").length) !== 256) { + if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) { throw new CryptographyError({ message: "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`" diff --git a/backend/src/services/kms/kms-service.ts b/backend/src/services/kms/kms-service.ts index 8ef071dd80..8f868978da 100644 --- a/backend/src/services/kms/kms-service.ts +++ b/backend/src/services/kms/kms-service.ts @@ -828,9 +828,9 @@ export const kmsServiceFactory = ({ }; const $getBasicEncryptionKey = () => { - const encryptionKey = envConfig.ROOT_ENCRYPTION_KEY || envConfig.ENCRYPTION_KEY; + const encryptionKey = envConfig.ENCRYPTION_KEY || envConfig.ROOT_ENCRYPTION_KEY; - const isBase64 = envConfig.ROOT_ENCRYPTION_KEY; + const isBase64 = !envConfig.ENCRYPTION_KEY; if (!encryptionKey) throw new Error( "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?" diff --git a/docs/contributing/platform/developing.mdx b/docs/contributing/platform/developing.mdx index 5a1af52c4a..bb84d8846b 100644 --- a/docs/contributing/platform/developing.mdx +++ b/docs/contributing/platform/developing.mdx @@ -15,7 +15,7 @@ git checkout -b MY_BRANCH_NAME ## Set up environment variables -Start by creating a `.env` file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each. +Start by creating a `.env` file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.dev.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each. ## Starting Infisical for development From 1a7de4ab8d2abcb759268d058d1fa1c63295e53a Mon Sep 17 00:00:00 2001 From: Victor Santos Date: Thu, 11 Dec 2025 12:56:22 -0300 Subject: [PATCH 3/4] fix: update SITE_URL in .env.example to use port 80 --- .env.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env.example b/.env.example index 8cb5bf6833..07cc1bfa2f 100644 --- a/.env.example +++ b/.env.example @@ -21,7 +21,7 @@ REDIS_URL=redis://redis:6379 # Website URL # Required -SITE_URL=http://localhost:8080 +SITE_URL=http://localhost:80 # Mail/SMTP SMTP_HOST= From 1c30658ecfb601811d22defae59dca3cc68a5e5f Mon Sep 17 00:00:00 2001 From: Victor Santos Date: Thu, 11 Dec 2025 15:09:16 -0300 Subject: [PATCH 4/4] fix: update backend BDD tests workflow to use .env.dev.example for environment configuration --- .github/workflows/run-backend-bdd-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-backend-bdd-tests.yml b/.github/workflows/run-backend-bdd-tests.yml index 7b54aa44e8..2ff808e47b 100644 --- a/.github/workflows/run-backend-bdd-tests.yml +++ b/.github/workflows/run-backend-bdd-tests.yml @@ -47,7 +47,7 @@ jobs: - name: Output .env file and enable feature flags for BDD tests run: | - cp .env.example .env + cp .env.dev.example .env echo "ACME_DEVELOPMENT_MODE=true" >> .env echo "ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES={\"localhost\": \"host.docker.internal:8087\", \"infisical.com\": \"host.docker.internal:8087\", \"example.com\": \"host.docker.internal:8087\"}" >> .env echo "BDD_NOCK_API_ENABLED=true" >> .env