feat(coderd): connect dbcrypt package implementation (#9523)

See also: https://github.com/coder/coder/pull/9522 - Adds commands `server dbcrypt {rotate,decrypt,delete}` to re-encrypt, decrypt, or delete encrypted data, respectively. - Plumbs through dbcrypt in enterprise/coderd (including unit tests). - Adds documentation in admin/encryption.md. This enables dbcrypt by default, but the feature is soft-enforced on supplying external token encryption keys. Without specifying any keys, encryption/decryption is a no-op.
2025-07-09 11:45:56 +00:00 · 2023-09-07 15:49:49 +01:00
parent ed7f682fd1
commit 7d7c84bb4d
36 changed files with 1600 additions and 36 deletions
--- a/docs/api/general.md
+++ b/docs/api/general.md
@ -212,6 +212,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
    },
    "enable_terraform_debug_mode": true,
    "experiments": ["string"],
+    "external_token_encryption_keys": ["string"],
    "git_auth": {
      "value": [
        {
--- a/docs/api/schemas.md
+++ b/docs/api/schemas.md
@ -2036,6 +2036,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
    },
    "enable_terraform_debug_mode": true,
    "experiments": ["string"],
+    "external_token_encryption_keys": ["string"],
    "git_auth": {
      "value": [
        {
@ -2400,6 +2401,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
  },
  "enable_terraform_debug_mode": true,
  "experiments": ["string"],
+  "external_token_encryption_keys": ["string"],
  "git_auth": {
    "value": [
      {
@ -2613,6 +2615,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 | `docs_url`                           | [clibase.URL](#clibaseurl)                                                                 | false    |              |                                                                    |
 | `enable_terraform_debug_mode`        | boolean                                                                                    | false    |              |                                                                    |
 | `experiments`                        | array of string                                                                            | false    |              |                                                                    |
+| `external_token_encryption_keys`     | array of string                                                                            | false    |              |                                                                    |
 | `git_auth`                           | [clibase.Struct-array_codersdk_GitAuthConfig](#clibasestruct-array_codersdk_gitauthconfig) | false    |              |                                                                    |
 | `http_address`                       | string                                                                                     | false    |              | Http address is a string because it may be set to zero to disable. |
 | `in_memory_database`                 | boolean                                                                                    | false    |              |                                                                    |