chore: add .env.dev.example file for development environment configuration

.env.dev.example

@@ -0,0 +1,150 @@
+# Keys
+# Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+ENCRYPTION_KEY=VVHnGZ0w98WLgISK4XSJcagezuG6EWRFTk48KE4Y5Mw=
+
+# JWT
+# Required secrets to sign JWT tokens
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
+
+# Postgres creds
+POSTGRES_PASSWORD=infisical
+POSTGRES_USER=infisical
+POSTGRES_DB=infisical
+
+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
+# Redis
+REDIS_URL=redis://redis:6379
+
+# Website URL
+# Required
+SITE_URL=http://localhost:8080
+
+# Mail/SMTP
+SMTP_HOST=
+SMTP_PORT=
+SMTP_FROM_ADDRESS=
+SMTP_FROM_NAME=
+SMTP_USERNAME=
+SMTP_PASSWORD=
+
+# Integration
+# Optional only if integration is used
+CLIENT_ID_HEROKU=
+CLIENT_ID_VERCEL=
+CLIENT_ID_NETLIFY=
+CLIENT_ID_GITHUB=
+CLIENT_ID_GITHUB_APP=
+CLIENT_SLUG_GITHUB_APP=
+CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
+CLIENT_SECRET_HEROKU=
+CLIENT_SECRET_VERCEL=
+CLIENT_SECRET_NETLIFY=
+CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITHUB_APP=
+CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
+CLIENT_SLUG_VERCEL=
+
+CLIENT_PRIVATE_KEY_GITHUB_APP=
+CLIENT_APP_ID_GITHUB_APP=
+
+# Sentry (optional) for monitoring errors
+SENTRY_DSN=
+
+# Infisical Cloud-specific configs
+# Ignore - Not applicable for self-hosted version
+POSTHOG_HOST=
+POSTHOG_PROJECT_API_KEY=
+
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=
+
+CAPTCHA_SECRET=
+
+NEXT_PUBLIC_CAPTCHA_SITE_KEY=
+
+OTEL_TELEMETRY_COLLECTION_ENABLED=false
+OTEL_EXPORT_TYPE=prometheus
+OTEL_EXPORT_OTLP_ENDPOINT=
+OTEL_OTLP_PUSH_INTERVAL=
+
+OTEL_COLLECTOR_BASIC_AUTH_USERNAME=
+OTEL_COLLECTOR_BASIC_AUTH_PASSWORD=
+
+PLAIN_API_KEY=
+PLAIN_WISH_LABEL_IDS=
+
+SSL_CLIENT_CERTIFICATE_HEADER_KEY=
+
+ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
+
+# App Connections
+
+# aws assume-role connection
+INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
+INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
+
+# github oauth connection
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
+
+#github app connection
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
+INF_APP_CONNECTION_GITHUB_APP_SLUG=
+INF_APP_CONNECTION_GITHUB_APP_ID=
+
+#gitlab app connection
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
+
+#github radar app connection
+INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_ID=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
+
+#gcp app connection
+INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
+
+# azure app connections
+INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET=
+
+# heroku app connection
+INF_APP_CONNECTION_HEROKU_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_HEROKU_OAUTH_CLIENT_SECRET=
+
+# datadog
+SHOULD_USE_DATADOG_TRACER=
+DATADOG_PROFILING_ENABLED=
+DATADOG_ENV=
+DATADOG_SERVICE=
+DATADOG_HOSTNAME=
+
+# kubernetes
+KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

.env.example

@@ -3,10 +3,6 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=f13dbc92aaaf86fa7cb0ed8ac3265f47
 
-# Used for compatibility with the FIPS image
-# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
-ROOT_ENCRYPTION_KEY=RQKPV9co/vf3N7DFBBTu82exLjtTcMLXWjuHBZAjazA=
-
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION

README.md

@@ -100,13 +100,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
 Linux/macOS:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.dev.example .env && docker compose -f docker-compose.prod.yml up
 ```
 
 Windows Command Prompt:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd infisical && copy .env.dev.example .env && docker compose -f docker-compose.prod.yml up
 ```
 
 Create an account at `http://localhost:80`

backend/src/lib/crypto/cryptography/crypto.ts

@@ -17,6 +17,7 @@ import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";
 
+import { isBase64 } from "../../base64";
 import { getConfig, TEnvConfig } from "../../config/env";
 import { CryptographyError } from "../../errors";
 import { logger } from "../../logger";
@@ -113,7 +114,7 @@ const cryptographyFactory = () => {
     enabled: boolean,
     hsmService: THsmServiceFactory,
     kmsRootConfigDAL: TKmsRootConfigDALFactory,
-    envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY" | "ROOT_ENCRYPTION_KEY">
+    envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">
   ) => {
     // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
     if (enabled) {
@@ -134,20 +135,18 @@ const cryptographyFactory = () => {
 
       // only perform encryption key validation if it's actually required.
       if (needsEncryptionKey) {
-        const encryptionKey = appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY;
-
-        if (encryptionKey) {
+        if (appCfg.ENCRYPTION_KEY) {
           // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
 
           // note(daniel): for some reason this resolves as true for some hex-encoded strings.
-          if (!encryptionKey) {
+          if (!isBase64(appCfg.ENCRYPTION_KEY)) {
             throw new CryptographyError({
               message:
                 "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"
             });
           }
 
-          if (bytesToBits(Buffer.from(encryptionKey, "base64").length) !== 256) {
+          if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) {
             throw new CryptographyError({
               message:
                 "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"

backend/src/services/kms/kms-service.ts

@@ -828,9 +828,9 @@ export const kmsServiceFactory = ({
   };
 
   const $getBasicEncryptionKey = () => {
-    const encryptionKey = envConfig.ROOT_ENCRYPTION_KEY || envConfig.ENCRYPTION_KEY;
+    const encryptionKey = envConfig.ENCRYPTION_KEY || envConfig.ROOT_ENCRYPTION_KEY;
 
-    const isBase64 = envConfig.ROOT_ENCRYPTION_KEY;
+    const isBase64 = !envConfig.ENCRYPTION_KEY;
     if (!encryptionKey)
       throw new Error(
         "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"

docs/contributing/platform/developing.mdx

@@ -15,7 +15,7 @@ git checkout -b MY_BRANCH_NAME
 
 ## Set up environment variables
 
-Start by creating a `.env` file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each.
+Start by creating a `.env` file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.dev.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each.
 
 ## Starting Infisical for development