requested changes

This reverts commit 6533d731f829d79f41bf2f7209e3a636553792b1.

.github/workflows/release-standalone-docker-img-postgres-offical.yml

@@ -1,62 +1,115 @@
 name: Release standalone docker image
 on:
-  push:
-    tags:
-      - "infisical/v*.*.*-postgres"
+    push:
+        tags:
+            - "infisical/v*.*.*-postgres"
 
 jobs:
-  infisical-tests:
-    name: Run tests before deployment
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-  infisical-standalone:
-    name: Build infisical standalone image postgres
-    runs-on: ubuntu-latest
-    needs: [infisical-tests]
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: version output
-        run: |
-          echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest-postgres
-            infisical/infisical:${{ steps.commit.outputs.short }}
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+    infisical-tests:
+        name: Run tests before deployment
+        # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+        uses: ./.github/workflows/run-backend-tests.yml
+
+    infisical-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical:latest-postgres
+                      infisical/infisical:${{ steps.commit.outputs.short }}
+                      infisical/infisical:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+
+    infisical-fips-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
+                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.fips.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.infisicalignore

@@ -6,3 +6,4 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
+backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134

Dockerfile.fips.standalone-infisical

@@ -0,0 +1,167 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+ARG INTERCOM_ID=intercom-id
+ARG CAPTCHA_SITE_KEY=captcha-site-key
+
+FROM node:20-slim AS base
+
+FROM base AS frontend-dependencies
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM base AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ARG INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+
+# Build
+RUN npm run build
+
+# Production image
+FROM base AS frontend-runner
+WORKDIR /app
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+
+USER non-root-user
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM base AS backend-build
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+WORKDIR /app
+
+# Required for pkcs11js
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
+RUN npm i -D tsconfig-paths
+RUN npm run build
+
+# Production stage
+FROM base AS backend-runner
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /app
+
+# Required for pkcs11js
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+RUN mkdir frontend-build
+
+# Production stage
+FROM base AS production
+
+# Install necessary packages
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+# Give non-root-user permission to update SSL certs
+RUN chown -R non-root-user /etc/ssl/certs
+RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
+RUN chmod -R u+rwx /etc/ssl/certs
+RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
+RUN chown non-root-user /usr/sbin/update-ca-certificates
+RUN chmod u+rx /usr/sbin/update-ca-certificates
+
+## set pre baked keys
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID=intercom-id
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+
+WORKDIR / 
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app ./backend/frontend-build
+
+ENV PORT 8080
+ENV HOST=0.0.0.0
+ENV HTTPS_ENABLED false 
+ENV NODE_ENV production
+ENV STANDALONE_BUILD true 
+ENV STANDALONE_MODE true
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /backend
+
+ENV TELEMETRY_ENABLED true
+
+EXPOSE 8080
+EXPOSE 443
+
+USER non-root-user
+
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -72,6 +72,9 @@ RUN addgroup --system --gid 1001 nodejs \
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk add --no-cache python3 make g++ 
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -85,6 +88,9 @@ FROM base AS backend-runner
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk add --no-cache python3 make g++ 
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 

backend/Dockerfile

@@ -3,6 +3,12 @@ FROM node:20-alpine AS build
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
 COPY package*.json ./
 RUN npm ci --only-production
 
@@ -11,12 +17,17 @@ RUN npm run build
 
 # Production stage
 FROM node:20-alpine
-
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
+
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .

backend/Dockerfile.dev

@@ -1,5 +1,44 @@
 FROM node:20-alpine
 
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# install build dependencies including python3
+RUN apk --update add \
+        alpine-sdk \
+        autoconf \
+        automake \
+        git \
+        libtool \
+        openssl-dev \
+        python3 \
+        make \
+        g++
+
+# build and install SoftHSM2
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# install pkcs11-tool
+RUN apk --update add opensc
+
+RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+
+# ? App setup
+
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.8.1 && apk add --no-cache git

backend/e2e-test/vitest-environment-knex.ts

@@ -16,6 +16,7 @@ import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { Redis } from "ioredis";
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -54,7 +55,12 @@ export default {
       const smtp = mockSmtpServer();
       const queue = queueServiceFactory(cfg.REDIS_URL);
       const keyStore = keyStoreFactory(cfg.REDIS_URL);
-      const server = await main({ db, smtp, logger, queue, keyStore });
+
+      const hsmModule = initializeHsmModule();
+      hsmModule.initialize();
+
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });
+
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type

backend/package-lock.json

@@ -83,6 +83,7 @@
         "pg-query-stream": "^4.5.3",
         "picomatch": "^3.0.1",
         "pino": "^8.16.2",
+        "pkcs11js": "^2.1.6",
         "pkijs": "^3.2.4",
         "posthog-node": "^3.6.2",
         "probot": "^13.3.8",
@@ -120,6 +121,7 @@
         "@types/passport-google-oauth20": "^2.0.14",
         "@types/pg": "^8.10.9",
         "@types/picomatch": "^2.3.3",
+        "@types/pkcs11js": "^1.0.4",
         "@types/prompt-sync": "^4.2.3",
         "@types/resolve": "^1.20.6",
         "@types/safe-regex": "^1.1.6",
@@ -8830,6 +8832,17 @@
       "integrity": "sha512-Yll76ZHikRFCyz/pffKGjrCwe/le2CDwOP5F210KQo27kpRE46U2rDnzikNlVn6/ezH3Mhn46bJMTfeVTtcYMg==",
       "dev": true
     },
+    "node_modules/@types/pkcs11js": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@types/pkcs11js/-/pkcs11js-1.0.4.tgz",
+      "integrity": "sha512-Pkq8VbwZZv7o/6ODFOhxw0s0M8J4ucg4/I4V1dSCn8tUwWgIKIYzuV4Pp2fYuir81DgQXAF5TpGyhBMjJ3FjFw==",
+      "deprecated": "This is a stub types definition for pkcs11js (https://github.com/PeculiarVentures/pkcs11js). pkcs11js provides its own type definitions, so you don't need @types/pkcs11js installed!",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "pkcs11js": "*"
+      }
+    },
     "node_modules/@types/prompt-sync": {
       "version": "4.2.3",
       "resolved": "https://registry.npmjs.org/@types/prompt-sync/-/prompt-sync-4.2.3.tgz",
@@ -17066,6 +17079,20 @@
         "node": ">= 6"
       }
     },
+    "node_modules/pkcs11js": {
+      "version": "2.1.6",
+      "resolved": "https://registry.npmjs.org/pkcs11js/-/pkcs11js-2.1.6.tgz",
+      "integrity": "sha512-+t5jxzB749q8GaEd1yNx3l98xYuaVK6WW/Vjg1Mk1Iy5bMu/A5W4O/9wZGrpOknWF6lFQSb12FXX+eSNxdriwA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/PeculiarVentures"
+      }
+    },
     "node_modules/pkg-conf": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/pkg-conf/-/pkg-conf-3.1.0.tgz",
@@ -19761,9 +19788,10 @@
       }
     },
     "node_modules/tslib": {
-      "version": "2.6.3",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.3.tgz",
-      "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ=="
+      "version": "2.8.0",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.0.tgz",
+      "integrity": "sha512-jWVzBLplnCmoaTr13V9dYbiQ99wvZRd0vNWaDRg+aVYRcjDF3nDksxFDE/+fkXnKhpnUUkmx5pK/v8mCtLVqZA==",
+      "license": "0BSD"
     },
     "node_modules/tsup": {
       "version": "8.0.1",

backend/package.json

@@ -84,6 +84,7 @@
     "@types/passport-google-oauth20": "^2.0.14",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
+    "@types/pkcs11js": "^1.0.4",
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
@@ -188,6 +189,7 @@
     "pg-query-stream": "^4.5.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",
+    "pkcs11js": "^2.1.6",
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",

backend/src/@types/fastify.d.ts

@@ -44,6 +44,7 @@ import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
+import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
@@ -184,6 +185,7 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
+      hsm: THsmServiceFactory;
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;

backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
-    TableName.CertificateTemplateEstConfig,
-    "disableBootstrapCertValidation"
-  );
-
-  const hasCaChainCol = await knex.schema.hasColumn(TableName.CertificateTemplateEstConfig, "encryptedCaChain");
-
-  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
-    if (!hasDisableBootstrapCertValidationCol) {
-      t.boolean("disableBootstrapCertValidation").defaultTo(false).notNullable();
-    }
-
-    if (hasCaChainCol) {
-      t.binary("encryptedCaChain").nullable().alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
-    TableName.CertificateTemplateEstConfig,
-    "disableBootstrapCertValidation"
-  );
-
-  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
-    if (hasDisableBootstrapCertValidationCol) {
-      t.dropColumn("disableBootstrapCertValidation");
-    }
-  });
-}

backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (!hasEncryptionStrategy) t.string("encryptionStrategy").defaultTo("SOFTWARE");
+    if (!hasTimestampsCol) t.timestamps(true, true, true);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (hasEncryptionStrategy) t.dropColumn("encryptionStrategy");
+    if (hasTimestampsCol) t.dropTimestamps(true);
+  });
+}

backend/src/db/schemas/certificate-template-est-configs.ts

@@ -12,12 +12,11 @@ import { TImmutableDBKeys } from "./models";
 export const CertificateTemplateEstConfigsSchema = z.object({
   id: z.string().uuid(),
   certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer.nullable().optional(),
+  encryptedCaChain: zodBuffer,
   hashedPassphrase: z.string(),
   isEnabled: z.boolean(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  disableBootstrapCertValidation: z.boolean().default(false)
+  updatedAt: z.date()
 });
 
 export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;

backend/src/db/schemas/kms-root-config.ts

@@ -11,7 +11,10 @@ import { TImmutableDBKeys } from "./models";
 
 export const KmsRootConfigSchema = z.object({
   id: z.string().uuid(),
-  encryptedRootKey: zodBuffer
+  encryptedRootKey: zodBuffer,
+  encryptionStrategy: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
 });
 
 export type TKmsRootConfig = z.infer<typeof KmsRootConfigSchema>;

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -171,29 +171,27 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    if (!estConfig.disableBootstrapCertValidation) {
-      const caCerts = estConfig.caChain
-        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
-        ?.map((cert) => {
-          return new x509.X509Certificate(cert);
-        });
+    const caCerts = estConfig.caChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => {
+        return new x509.X509Certificate(cert);
+      });
 
-      if (!caCerts) {
-        throw new BadRequestError({ message: "Failed to parse certificate chain" });
-      }
+    if (!caCerts) {
+      throw new BadRequestError({ message: "Failed to parse certificate chain" });
+    }
 
-      const leafCertificate = decodeURIComponent(sslClientCert).match(
-        /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
-      )?.[0];
+    const leafCertificate = decodeURIComponent(sslClientCert).match(
+      /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
+    )?.[0];
 
-      if (!leafCertificate) {
-        throw new BadRequestError({ message: "Missing client certificate" });
-      }
+    if (!leafCertificate) {
+      throw new BadRequestError({ message: "Missing client certificate" });
+    }
 
-      const certObj = new x509.X509Certificate(leafCertificate);
-      if (!(await isCertChainValid([certObj, ...caCerts]))) {
-        throw new BadRequestError({ message: "Invalid certificate chain" });
-      }
+    const certObj = new x509.X509Certificate(leafCertificate);
+    if (!(await isCertChainValid([certObj, ...caCerts]))) {
+      throw new BadRequestError({ message: "Invalid certificate chain" });
     }
 
     const { certificate } = await certificateAuthorityService.signCertFromCa({

backend/src/ee/services/hsm/hsm-fns.ts

@@ -0,0 +1,58 @@
+import * as pkcs11js from "pkcs11js";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+import { HsmModule } from "./hsm-types";
+
+export const initializeHsmModule = () => {
+  const appCfg = getConfig();
+
+  // Create a new instance of PKCS11 module
+  const pkcs11 = new pkcs11js.PKCS11();
+  let isInitialized = false;
+
+  const initialize = () => {
+    if (!appCfg.isHsmConfigured) {
+      return;
+    }
+
+    try {
+      // Load the PKCS#11 module
+      pkcs11.load(appCfg.HSM_LIB_PATH!);
+
+      // Initialize the module
+      pkcs11.C_Initialize();
+      isInitialized = true;
+
+      logger.info("PKCS#11 module initialized");
+    } catch (err) {
+      logger.error("Failed to initialize PKCS#11 module:", err);
+      throw err;
+    }
+  };
+
+  const finalize = () => {
+    if (isInitialized) {
+      try {
+        pkcs11.C_Finalize();
+        isInitialized = false;
+        logger.info("PKCS#11 module finalized");
+      } catch (err) {
+        logger.error("Failed to finalize PKCS#11 module:", err);
+        throw err;
+      }
+    }
+  };
+
+  const getModule = (): HsmModule => ({
+    pkcs11,
+    isInitialized
+  });
+
+  return {
+    initialize,
+    finalize,
+    getModule
+  };
+};

backend/src/ee/services/hsm/hsm-service.ts

@@ -0,0 +1,470 @@
+import pkcs11js from "pkcs11js";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+import { HsmKeyType, HsmModule } from "./hsm-types";
+
+type THsmServiceFactoryDep = {
+  hsmModule: HsmModule;
+};
+
+export type THsmServiceFactory = ReturnType<typeof hsmServiceFactory>;
+
+type SyncOrAsync<T> = T | Promise<T>;
+type SessionCallback<T> = (session: pkcs11js.Handle) => SyncOrAsync<T>;
+
+// eslint-disable-next-line no-empty-pattern
+export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsmServiceFactoryDep) => {
+  const appCfg = getConfig();
+
+  // Constants for buffer structures
+  const IV_LENGTH = 16; // Luna HSM typically expects 16-byte IV for cbc
+  const BLOCK_SIZE = 16;
+  const HMAC_SIZE = 32;
+
+  const AES_KEY_SIZE = 256;
+  const HMAC_KEY_SIZE = 256;
+
+  const $withSession = async <T>(callbackWithSession: SessionCallback<T>): Promise<T> => {
+    const RETRY_INTERVAL = 200; // 200ms between attempts
+    const MAX_TIMEOUT = 90_000; // 90 seconds maximum total time
+
+    let sessionHandle: pkcs11js.Handle | null = null;
+
+    const removeSession = () => {
+      if (sessionHandle !== null) {
+        try {
+          pkcs11.C_Logout(sessionHandle);
+          pkcs11.C_CloseSession(sessionHandle);
+          logger.info("HSM: Terminated session successfully");
+        } catch (error) {
+          logger.error(error, "HSM: Failed to terminate session");
+        } finally {
+          sessionHandle = null;
+        }
+      }
+    };
+
+    try {
+      if (!pkcs11 || !isInitialized) {
+        throw new Error("PKCS#11 module is not initialized");
+      }
+
+      // Get slot list
+      let slots: pkcs11js.Handle[];
+      try {
+        slots = pkcs11.C_GetSlotList(false); // false to get all slots
+      } catch (error) {
+        throw new Error(`Failed to get slot list: ${(error as Error)?.message}`);
+      }
+
+      if (slots.length === 0) {
+        throw new Error("No slots available");
+      }
+
+      if (appCfg.HSM_SLOT >= slots.length) {
+        throw new Error(`HSM slot ${appCfg.HSM_SLOT} not found or not initialized`);
+      }
+
+      const slotId = slots[appCfg.HSM_SLOT];
+
+      const startTime = Date.now();
+      while (Date.now() - startTime < MAX_TIMEOUT) {
+        try {
+          // Open session
+          // eslint-disable-next-line no-bitwise
+          sessionHandle = pkcs11.C_OpenSession(slotId, pkcs11js.CKF_SERIAL_SESSION | pkcs11js.CKF_RW_SESSION);
+
+          // Login
+          try {
+            pkcs11.C_Login(sessionHandle, pkcs11js.CKU_USER, appCfg.HSM_PIN);
+            logger.info("HSM: Successfully authenticated");
+            break;
+          } catch (error) {
+            // Handle specific error cases
+            if (error instanceof pkcs11js.Pkcs11Error) {
+              if (error.code === pkcs11js.CKR_PIN_INCORRECT) {
+                // We throw instantly here to prevent further attempts, because if too many attempts are made, the HSM will potentially wipe all key material
+                logger.error(error, `HSM: Incorrect PIN detected for HSM slot ${appCfg.HSM_SLOT}`);
+                throw new Error("HSM: Incorrect HSM Pin detected. Please check the HSM configuration.");
+              }
+              if (error.code === pkcs11js.CKR_USER_ALREADY_LOGGED_IN) {
+                logger.warn("HSM: Session already logged in");
+              }
+            }
+            throw error; // Re-throw other errors
+          }
+        } catch (error) {
+          logger.warn(`HSM: Session creation failed. Retrying... Error: ${(error as Error)?.message}`);
+
+          if (sessionHandle !== null) {
+            try {
+              pkcs11.C_CloseSession(sessionHandle);
+            } catch (closeError) {
+              logger.error(closeError, "HSM: Failed to close session");
+            }
+            sessionHandle = null;
+          }
+
+          // Wait before retrying
+          // eslint-disable-next-line no-await-in-loop
+          await new Promise((resolve) => {
+            setTimeout(resolve, RETRY_INTERVAL);
+          });
+        }
+      }
+
+      if (sessionHandle === null) {
+        throw new Error("HSM: Failed to open session after maximum retries");
+      }
+
+      // Execute callback with session handle
+      const result = await callbackWithSession(sessionHandle);
+      removeSession();
+      return result;
+    } catch (error) {
+      logger.error(error, "HSM: Failed to open session");
+      throw error;
+    } finally {
+      // Ensure cleanup
+      removeSession();
+    }
+  };
+
+  const $findKey = (sessionHandle: pkcs11js.Handle, type: HsmKeyType) => {
+    const label = type === HsmKeyType.HMAC ? `${appCfg.HSM_KEY_LABEL}_HMAC` : appCfg.HSM_KEY_LABEL;
+    const keyType = type === HsmKeyType.HMAC ? pkcs11js.CKK_GENERIC_SECRET : pkcs11js.CKK_AES;
+
+    const template = [
+      { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+      { type: pkcs11js.CKA_KEY_TYPE, value: keyType },
+      { type: pkcs11js.CKA_LABEL, value: label }
+    ];
+
+    try {
+      // Initialize search
+      pkcs11.C_FindObjectsInit(sessionHandle, template);
+
+      try {
+        // Find first matching object
+        const handles = pkcs11.C_FindObjects(sessionHandle, 1);
+
+        if (handles.length === 0) {
+          throw new Error("Failed to find master key");
+        }
+
+        return handles[0]; // Return the key handle
+      } finally {
+        // Always finalize the search operation
+        pkcs11.C_FindObjectsFinal(sessionHandle);
+      }
+    } catch (error) {
+      return null;
+    }
+  };
+
+  const $keyExists = (session: pkcs11js.Handle, type: HsmKeyType): boolean => {
+    try {
+      const key = $findKey(session, type);
+      // items(0) will throw an error if no items are found
+      // Return true only if we got a valid object with handle
+      return !!key && key.length > 0;
+    } catch (error) {
+      // If items(0) throws, it means no key was found
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-call
+      logger.error(error, "HSM: Failed while checking for HSM key presence");
+
+      if (error instanceof pkcs11js.Pkcs11Error) {
+        if (error.code === pkcs11js.CKR_OBJECT_HANDLE_INVALID) {
+          return false;
+        }
+      }
+
+      return false;
+    }
+  };
+
+  const encrypt: {
+    (data: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
+    (data: Buffer): Promise<Buffer>;
+  } = async (data: Buffer, providedSession?: pkcs11js.Handle) => {
+    if (!pkcs11 || !isInitialized) {
+      throw new Error("PKCS#11 module is not initialized");
+    }
+
+    const $performEncryption = (sessionHandle: pkcs11js.Handle) => {
+      try {
+        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
+        if (!aesKey) {
+          throw new Error("HSM: Encryption failed, AES key not found");
+        }
+
+        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
+        if (!hmacKey) {
+          throw new Error("HSM: Encryption failed, HMAC key not found");
+        }
+
+        const iv = Buffer.alloc(IV_LENGTH);
+        pkcs11.C_GenerateRandom(sessionHandle, iv);
+
+        const encryptMechanism = {
+          mechanism: pkcs11js.CKM_AES_CBC_PAD,
+          parameter: iv
+        };
+
+        pkcs11.C_EncryptInit(sessionHandle, encryptMechanism, aesKey);
+
+        // Calculate max buffer size (input length + potential full block of padding)
+        const maxEncryptedLength = Math.ceil(data.length / BLOCK_SIZE) * BLOCK_SIZE + BLOCK_SIZE;
+
+        // Encrypt the data - this returns the encrypted data directly
+        const encryptedData = pkcs11.C_Encrypt(sessionHandle, data, Buffer.alloc(maxEncryptedLength));
+
+        // Initialize HMAC
+        const hmacMechanism = {
+          mechanism: pkcs11js.CKM_SHA256_HMAC
+        };
+
+        pkcs11.C_SignInit(sessionHandle, hmacMechanism, hmacKey);
+
+        // Sign the IV and encrypted data
+        pkcs11.C_SignUpdate(sessionHandle, iv);
+        pkcs11.C_SignUpdate(sessionHandle, encryptedData);
+
+        // Get the HMAC
+        const hmac = Buffer.alloc(HMAC_SIZE);
+        pkcs11.C_SignFinal(sessionHandle, hmac);
+
+        // Combine encrypted data and HMAC [Encrypted Data | HMAC]
+        const finalBuffer = Buffer.alloc(encryptedData.length + hmac.length);
+        encryptedData.copy(finalBuffer);
+        hmac.copy(finalBuffer, encryptedData.length);
+
+        return Buffer.concat([iv, finalBuffer]);
+      } catch (error) {
+        logger.error(error, "HSM: Failed to perform encryption");
+        throw new Error(`HSM: Encryption failed: ${(error as Error)?.message}`);
+      }
+    };
+
+    if (providedSession) {
+      return $performEncryption(providedSession);
+    }
+
+    const result = await $withSession($performEncryption);
+    return result;
+  };
+
+  const decrypt: {
+    (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
+    (encryptedBlob: Buffer): Promise<Buffer>;
+  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
+    if (!pkcs11 || !isInitialized) {
+      throw new Error("PKCS#11 module is not initialized");
+    }
+
+    const $performDecryption = (sessionHandle: pkcs11js.Handle) => {
+      try {
+        // structure is: [IV (16 bytes) | Encrypted Data (N bytes) | HMAC (32 bytes)]
+        const iv = encryptedBlob.subarray(0, IV_LENGTH);
+        const encryptedDataWithHmac = encryptedBlob.subarray(IV_LENGTH);
+
+        // Split encrypted data and HMAC
+        const hmac = encryptedDataWithHmac.subarray(-HMAC_SIZE); // Last 32 bytes are HMAC
+
+        const encryptedData = encryptedDataWithHmac.subarray(0, -HMAC_SIZE); // Everything except last 32 bytes
+
+        // Find the keys
+        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
+        if (!aesKey) {
+          throw new Error("HSM: Decryption failed, AES key not found");
+        }
+
+        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
+        if (!hmacKey) {
+          throw new Error("HSM: Decryption failed, HMAC key not found");
+        }
+
+        // Verify HMAC first
+        const hmacMechanism = {
+          mechanism: pkcs11js.CKM_SHA256_HMAC
+        };
+
+        pkcs11.C_VerifyInit(sessionHandle, hmacMechanism, hmacKey);
+        pkcs11.C_VerifyUpdate(sessionHandle, iv);
+        pkcs11.C_VerifyUpdate(sessionHandle, encryptedData);
+
+        try {
+          pkcs11.C_VerifyFinal(sessionHandle, hmac);
+        } catch (error) {
+          logger.error(error, "HSM: HMAC verification failed");
+          throw new Error("HSM: Decryption failed"); // Generic error for failed verification
+        }
+
+        // Only decrypt if verification passed
+        const decryptMechanism = {
+          mechanism: pkcs11js.CKM_AES_CBC_PAD,
+          parameter: iv
+        };
+
+        pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);
+
+        const tempBuffer = Buffer.alloc(encryptedData.length);
+        const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);
+
+        // Create a new buffer from the decrypted data
+        return Buffer.from(decryptedData);
+      } catch (error) {
+        logger.error(error, "HSM: Failed to perform decryption");
+        throw new Error("HSM: Decryption failed"); // Generic error for failed decryption, to avoid leaking details about why it failed (such as padding related errors)
+      }
+    };
+
+    if (providedSession) {
+      return $performDecryption(providedSession);
+    }
+
+    const result = await $withSession($performDecryption);
+    return result;
+  };
+
+  // We test the core functionality of the PKCS#11 module that we are using throughout Infisical. This is to ensure that the user doesn't configure a faulty or unsupported HSM device.
+  const $testPkcs11Module = async (session: pkcs11js.Handle) => {
+    try {
+      if (!pkcs11 || !isInitialized) {
+        throw new Error("PKCS#11 module is not initialized");
+      }
+
+      if (!session) {
+        throw new Error("HSM: Attempted to run test without a valid session");
+      }
+
+      const randomData = pkcs11.C_GenerateRandom(session, Buffer.alloc(500));
+
+      const encryptedData = await encrypt(randomData, session);
+      const decryptedData = await decrypt(encryptedData, session);
+
+      const randomDataHex = randomData.toString("hex");
+      const decryptedDataHex = decryptedData.toString("hex");
+
+      if (randomDataHex !== decryptedDataHex && Buffer.compare(randomData, decryptedData)) {
+        throw new Error("HSM: Startup test failed. Decrypted data does not match original data");
+      }
+
+      return true;
+    } catch (error) {
+      logger.error(error, "HSM: Error testing PKCS#11 module");
+      return false;
+    }
+  };
+
+  const isActive = async () => {
+    if (!isInitialized || !appCfg.isHsmConfigured) {
+      return false;
+    }
+
+    let pkcs11TestPassed = false;
+
+    try {
+      pkcs11TestPassed = await $withSession($testPkcs11Module);
+    } catch (err) {
+      logger.error(err, "HSM: Error testing PKCS#11 module");
+    }
+
+    return appCfg.isHsmConfigured && isInitialized && pkcs11TestPassed;
+  };
+
+  const startService = async () => {
+    if (!appCfg.isHsmConfigured || !pkcs11 || !isInitialized) return;
+
+    try {
+      await $withSession(async (sessionHandle) => {
+        // Check if master key exists, create if not
+
+        const genericAttributes = [
+          { type: pkcs11js.CKA_TOKEN, value: true }, // Persistent storage
+          { type: pkcs11js.CKA_EXTRACTABLE, value: false }, // Cannot be extracted
+          { type: pkcs11js.CKA_SENSITIVE, value: true }, // Sensitive value
+          { type: pkcs11js.CKA_PRIVATE, value: true } // Requires authentication
+        ];
+
+        if (!$keyExists(sessionHandle, HsmKeyType.AES)) {
+          // Template for generating 256-bit AES master key
+          const keyTemplate = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_AES },
+            { type: pkcs11js.CKA_VALUE_LEN, value: AES_KEY_SIZE / 8 },
+            { type: pkcs11js.CKA_LABEL, value: appCfg.HSM_KEY_LABEL! },
+            { type: pkcs11js.CKA_ENCRYPT, value: true }, // Allow encryption
+            { type: pkcs11js.CKA_DECRYPT, value: true }, // Allow decryption
+            ...genericAttributes
+          ];
+
+          // Generate the key
+          pkcs11.C_GenerateKey(
+            sessionHandle,
+            {
+              mechanism: pkcs11js.CKM_AES_KEY_GEN
+            },
+            keyTemplate
+          );
+
+          logger.info(`HSM: Master key created successfully with label: ${appCfg.HSM_KEY_LABEL}`);
+        }
+
+        // Check if HMAC key exists, create if not
+        if (!$keyExists(sessionHandle, HsmKeyType.HMAC)) {
+          const hmacKeyTemplate = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_GENERIC_SECRET },
+            { type: pkcs11js.CKA_VALUE_LEN, value: HMAC_KEY_SIZE / 8 }, // 256-bit key
+            { type: pkcs11js.CKA_LABEL, value: `${appCfg.HSM_KEY_LABEL!}_HMAC` },
+            { type: pkcs11js.CKA_SIGN, value: true }, // Allow signing
+            { type: pkcs11js.CKA_VERIFY, value: true }, // Allow verification
+            ...genericAttributes
+          ];
+
+          // Generate the HMAC key
+          pkcs11.C_GenerateKey(
+            sessionHandle,
+            {
+              mechanism: pkcs11js.CKM_GENERIC_SECRET_KEY_GEN
+            },
+            hmacKeyTemplate
+          );
+
+          logger.info(`HSM: HMAC key created successfully with label: ${appCfg.HSM_KEY_LABEL}_HMAC`);
+        }
+
+        // Get slot info to check supported mechanisms
+        const slotId = pkcs11.C_GetSessionInfo(sessionHandle).slotID;
+        const mechanisms = pkcs11.C_GetMechanismList(slotId);
+
+        // Check for AES CBC PAD support
+        const hasAesCbc = mechanisms.includes(pkcs11js.CKM_AES_CBC_PAD);
+
+        if (!hasAesCbc) {
+          throw new Error(`Required mechanism CKM_AEC_CBC_PAD not supported by HSM`);
+        }
+
+        // Run test encryption/decryption
+        const testPassed = await $testPkcs11Module(sessionHandle);
+
+        if (!testPassed) {
+          throw new Error("PKCS#11 module test failed. Please ensure that the HSM is correctly configured.");
+        }
+      });
+    } catch (error) {
+      logger.error(error, "HSM: Error initializing HSM service:");
+      throw error;
+    }
+  };
+
+  return {
+    encrypt,
+    startService,
+    isActive,
+    decrypt
+  };
+};

backend/src/ee/services/hsm/hsm-types.ts

@@ -0,0 +1,11 @@
+import pkcs11js from "pkcs11js";
+
+export type HsmModule = {
+  pkcs11: pkcs11js.PKCS11;
+  isInitialized: boolean;
+};
+
+export enum HsmKeyType {
+  AES = "AES",
+  HMAC = "hmac"
+}

backend/src/ee/services/license/license-fns.ts

@@ -29,6 +29,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   auditLogStreams: false,
   auditLogStreamLimit: 3,
   samlSSO: false,
+  hsm: false,
   oidcSSO: false,
   scim: false,
   ldap: false,

backend/src/ee/services/license/license-types.ts

@@ -46,6 +46,7 @@ export type TFeatureSet = {
   auditLogStreams: false;
   auditLogStreamLimit: 3;
   samlSSO: false;
+  hsm: false;
   oidcSSO: false;
   scim: false;
   ldap: false;

backend/src/lib/api-docs/constants.ts

@@ -582,11 +582,6 @@ export const FOLDERS = {
     projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
-  MOVE: {
-    projectId: "The ID of the project to move the folder from.",
-    folderId: "The ID of the folder to move.",
-    newPath: "The new path of the folder."
-  },
   DELETE: {
     folderIdOrName: "The ID or name of the folder to delete.",
     workspaceId: "The ID of the project to delete the folder from.",

backend/src/lib/config/env.ts

@@ -163,10 +163,22 @@ const envSchema = z
     SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
     WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
     WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
-    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true")
+    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
+
+    // HSM
+    HSM_LIB_PATH: zpStr(z.string().optional()),
+    HSM_PIN: zpStr(z.string().optional()),
+    HSM_KEY_LABEL: zpStr(z.string().optional()),
+    HSM_SLOT: z.coerce.number().optional().default(0)
   })
+  // To ensure that basic encryption is always possible.
+  .refine(
+    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
+    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
+  )
   .transform((data) => ({
     ...data,
+
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
@@ -175,10 +187,14 @@ const envSchema = z
     isRedisConfigured: Boolean(data.REDIS_URL),
     isDevelopmentMode: data.NODE_ENV === "development",
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
+
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
+    isHsmConfigured:
+      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
+
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));

backend/src/lib/validator/index.ts

@@ -1,3 +1,2 @@
 export { isDisposableEmail } from "./validate-email";
-export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";

backend/src/lib/validator/validate-folder-name.ts

@@ -1,8 +0,0 @@
-// regex to allow only alphanumeric, dash, underscore
-export const isValidFolderName = (name: string) => /^[a-zA-Z0-9-_]+$/.test(name);
-
-export const isValidSecretPath = (path: string) =>
-  path
-    .split("/")
-    .filter((el) => el.length)
-    .every((name) => isValidFolderName(name));

backend/src/main.ts

@@ -1,6 +1,8 @@
 import dotenv from "dotenv";
 import path from "path";
 
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig, IS_PACKAGED } from "./lib/config/env";
@@ -53,13 +55,17 @@ const run = async () => {
   const queue = queueServiceFactory(appCfg.REDIS_URL);
   const keyStore = keyStoreFactory(appCfg.REDIS_URL);
 
-  const server = await main({ db, auditLogDb, smtp, logger, queue, keyStore });
+  const hsmModule = initializeHsmModule();
+  hsmModule.initialize();
+
+  const server = await main({ db, auditLogDb, hsmModule: hsmModule.getModule(), smtp, logger, queue, keyStore });
   const bootstrap = await bootstrapCheck({ db });
 
   // eslint-disable-next-line
   process.on("SIGINT", async () => {
     await server.close();
     await db.destroy();
+    hsmModule.finalize();
     process.exit(0);
   });
 
@@ -67,6 +73,7 @@ const run = async () => {
   process.on("SIGTERM", async () => {
     await server.close();
     await db.destroy();
+    hsmModule.finalize();
     process.exit(0);
   });
 

backend/src/server/app.ts

@@ -14,6 +14,7 @@ import fastify from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
 
+import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
@@ -36,16 +37,19 @@ type TMain = {
   logger?: Logger;
   queue: TQueueServiceFactory;
   keyStore: TKeyStoreFactory;
+  hsmModule: HsmModule;
 };
 
 // Run the server!
-export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
+export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
   const appCfg = getConfig();
+
   const server = fastify({
     logger: appCfg.NODE_ENV === "test" ? false : logger,
     trustProxy: true,
-    connectionTimeout: 30 * 1000,
-    ignoreTrailingSlash: true
+    connectionTimeout: appCfg.isHsmConfigured ? 90_000 : 30_000,
+    ignoreTrailingSlash: true,
+    pluginTimeout: 40_000
   }).withTypeProvider<ZodTypeProvider>();
 
   server.setValidatorCompiler(validatorCompiler);
@@ -95,7 +99,7 @@ export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TM
 
     await server.register(maintenanceMode);
 
-    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore });
+    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
     if (appCfg.isProductionMode) {
       await server.register(registerExternalNextjs, {

backend/src/server/routes/index.ts

@@ -1,5 +1,4 @@
 import { CronJob } from "cron";
-// import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -31,6 +30,8 @@ import { externalKmsServiceFactory } from "@app/ee/services/external-kms/externa
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
+import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
+import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -223,10 +224,18 @@ export const registerRoutes = async (
   {
     auditLogDb,
     db,
+    hsmModule,
     smtp: smtpService,
     queue: queueService,
     keyStore
-  }: { auditLogDb?: Knex; db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
+  }: {
+    auditLogDb?: Knex;
+    db: Knex;
+    hsmModule: HsmModule;
+    smtp: TSmtpService;
+    queue: TQueueServiceFactory;
+    keyStore: TKeyStoreFactory;
+  }
 ) => {
   const appCfg = getConfig();
   await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
@@ -352,14 +361,21 @@ export const registerRoutes = async (
     projectDAL
   });
   const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
+
+  const hsmService = hsmServiceFactory({
+    hsmModule
+  });
+
   const kmsService = kmsServiceFactory({
     kmsRootConfigDAL,
     keyStore,
     kmsDAL,
     internalKmsDAL,
     orgDAL,
-    projectDAL
+    projectDAL,
+    hsmService
   });
+
   const externalKmsService = externalKmsServiceFactory({
     kmsDAL,
     kmsService,
@@ -556,6 +572,7 @@ export const registerRoutes = async (
     userDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
+    kmsRootConfigDAL,
     orgService,
     keyStore,
     licenseService,
@@ -1261,10 +1278,13 @@ export const registerRoutes = async (
   });
 
   await superAdminService.initServerCfg();
-  //
+
   // setup the communication with license key server
   await licenseService.init();
 
+  // Start HSM service if it's configured/enabled.
+  await hsmService.startService();
+
   await telemetryQueue.startTelemetryCheck();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
@@ -1342,6 +1362,7 @@ export const registerRoutes = async (
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
+    hsm: hsmService,
     cmek: cmekService,
     orgAdmin: orgAdminService,
     slack: slackService,

backend/src/server/routes/v1/admin-router.ts

@@ -7,6 +7,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { LoginMethod } from "@app/services/super-admin/super-admin-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -195,6 +196,57 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/encryption-strategies",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          strategies: z
+            .object({
+              strategy: z.nativeEnum(RootKeyEncryptionStrategy),
+              enabled: z.boolean()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+
+    handler: async () => {
+      const encryptionDetails = await server.services.superAdmin.getConfiguredEncryptionStrategies();
+      return encryptionDetails;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/encryption-strategies",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        strategy: z.nativeEnum(RootKeyEncryptionStrategy)
+      })
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      await server.services.superAdmin.updateRootEncryptionStrategy(req.body.strategy);
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/signup",

backend/src/server/routes/v1/certificate-template-router.ts

@@ -14,8 +14,7 @@ import { validateTemplateRegexField } from "@app/services/certificate-template/c
 const sanitizedEstConfig = CertificateTemplateEstConfigsSchema.pick({
   id: true,
   certificateTemplateId: true,
-  isEnabled: true,
-  disableBootstrapCertValidation: true
+  isEnabled: true
 });
 
 export const registerCertificateTemplateRouter = async (server: FastifyZodProvider) => {
@@ -242,18 +241,11 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       params: z.object({
         certificateTemplateId: z.string().trim()
       }),
-      body: z
-        .object({
-          caChain: z.string().trim().optional(),
-          passphrase: z.string().min(1),
-          isEnabled: z.boolean().default(true),
-          disableBootstrapCertValidation: z.boolean().default(false)
-        })
-        .refine(
-          ({ caChain, disableBootstrapCertValidation }) =>
-            disableBootstrapCertValidation || (!disableBootstrapCertValidation && caChain),
-          "CA chain is required"
-        ),
+      body: z.object({
+        caChain: z.string().trim().min(1),
+        passphrase: z.string().min(1),
+        isEnabled: z.boolean().default(true)
+      }),
       response: {
         200: sanitizedEstConfig
       }
@@ -297,9 +289,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
         certificateTemplateId: z.string().trim()
       }),
       body: z.object({
-        caChain: z.string().trim().optional(),
+        caChain: z.string().trim().min(1).optional(),
         passphrase: z.string().min(1).optional(),
-        disableBootstrapCertValidation: z.boolean().optional(),
         isEnabled: z.boolean().optional()
       }),
       response: {

backend/src/server/routes/v1/integration-auth-router.ts

@@ -891,48 +891,6 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/:integrationAuthId/bitbucket/environments",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      querystring: z.object({
-        workspaceSlug: z.string().trim().min(1, { message: "Workspace slug required" }),
-        repoSlug: z.string().trim().min(1, { message: "Repo slug required" })
-      }),
-      response: {
-        200: z.object({
-          environments: z
-            .object({
-              name: z.string(),
-              slug: z.string(),
-              uuid: z.string(),
-              type: z.string()
-            })
-            .array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const environments = await server.services.integrationAuth.getBitbucketEnvironments({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationAuthId,
-        workspaceSlug: req.query.workspaceSlug,
-        repoSlug: req.query.repoSlug
-      });
-      return { environments };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/:integrationAuthId/northflank/secret-groups",

backend/src/server/routes/v1/secret-folder-router.ts

@@ -4,8 +4,7 @@ import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
 import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
-import { isValidFolderName } from "@app/lib/validator";
-import { readLimit, secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -26,13 +25,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.CREATE.environment),
-        name: z
-          .string()
-          .trim()
-          .describe(FOLDERS.CREATE.name)
-          .refine((name) => isValidFolderName(name), {
-            message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-          }),
+        name: z.string().trim().describe(FOLDERS.CREATE.name),
         path: z
           .string()
           .trim()
@@ -84,50 +77,6 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  server.route({
-    url: "/:folderId/move",
-    method: "PATCH",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Move folder to new path",
-      security: [{ bearerAuth: [] }],
-      params: z.object({
-        folderId: z.string().describe(FOLDERS.MOVE.folderId)
-      }),
-      body: z.object({
-        projectId: z.string().trim().describe(FOLDERS.MOVE.projectId),
-        newPath: z
-          .string()
-          .trim()
-          .describe(FOLDERS.MOVE.newPath)
-          .transform(prefixWithSlash)
-          .transform(removeTrailingSlash)
-      }),
-
-      response: {
-        200: z.object({
-          folder: SecretFoldersSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const folder = await server.services.folder.moveFolder({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        folderId: req.params.folderId,
-        projectId: req.body.projectId,
-        newPath: req.body.newPath
-      });
-
-      return { folder };
-    }
-  });
-
   server.route({
     url: "/:folderId",
     method: "PATCH",
@@ -148,13 +97,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-        name: z
-          .string()
-          .trim()
-          .describe(FOLDERS.UPDATE.name)
-          .refine((name) => isValidFolderName(name), {
-            message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-          }),
+        name: z.string().trim().describe(FOLDERS.UPDATE.name),
         path: z
           .string()
           .trim()
@@ -227,13 +170,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .object({
             id: z.string().describe(FOLDERS.UPDATE.folderId),
             environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-            name: z
-              .string()
-              .trim()
-              .describe(FOLDERS.UPDATE.name)
-              .refine((name) => isValidFolderName(name), {
-                message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-              }),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
             path: z
               .string()
               .trim()

backend/src/services/certificate-template/certificate-template-service.ts

@@ -235,8 +235,7 @@ export const certificateTemplateServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId,
-    disableBootstrapCertValidation
+    actorOrgId
   }: TCreateEstConfigurationDTO) => {
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.pkiEst) {
@@ -267,45 +266,39 @@ export const certificateTemplateServiceFactory = ({
 
     const appCfg = getConfig();
 
-    let encryptedCaChain: Buffer | undefined;
-    if (caChain) {
-      const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-        projectId: certTemplate.projectId,
-        projectDAL,
-        kmsService
-      });
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
+      projectId: certTemplate.projectId,
+      projectDAL,
+      kmsService
+    });
 
-      // validate CA chain
-      const certificates = caChain
-        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
-        ?.map((cert) => new x509.X509Certificate(cert));
+    // validate CA chain
+    const certificates = caChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => new x509.X509Certificate(cert));
 
-      if (!certificates) {
-        throw new BadRequestError({ message: "Failed to parse certificate chain" });
-      }
-
-      if (!(await isCertChainValid(certificates))) {
-        throw new BadRequestError({ message: "Invalid certificate chain" });
-      }
-
-      const kmsEncryptor = await kmsService.encryptWithKmsKey({
-        kmsId: certificateManagerKmsId
-      });
-
-      const { cipherTextBlob } = await kmsEncryptor({
-        plainText: Buffer.from(caChain)
-      });
-
-      encryptedCaChain = cipherTextBlob;
+    if (!certificates) {
+      throw new BadRequestError({ message: "Failed to parse certificate chain" });
     }
 
+    if (!(await isCertChainValid(certificates))) {
+      throw new BadRequestError({ message: "Invalid certificate chain" });
+    }
+
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
+
+    const { cipherTextBlob: encryptedCaChain } = await kmsEncryptor({
+      plainText: Buffer.from(caChain)
+    });
+
     const hashedPassphrase = await bcrypt.hash(passphrase, appCfg.SALT_ROUNDS);
     const estConfig = await certificateTemplateEstConfigDAL.create({
       certificateTemplateId,
       hashedPassphrase,
       encryptedCaChain,
-      isEnabled,
-      disableBootstrapCertValidation
+      isEnabled
     });
 
     return { ...estConfig, projectId: certTemplate.projectId };
@@ -319,8 +312,7 @@ export const certificateTemplateServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId,
-    disableBootstrapCertValidation
+    actorOrgId
   }: TUpdateEstConfigurationDTO) => {
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.pkiEst) {
@@ -368,8 +360,7 @@ export const certificateTemplateServiceFactory = ({
     });
 
     const updatedData: TCertificateTemplateEstConfigsUpdate = {
-      isEnabled,
-      disableBootstrapCertValidation
+      isEnabled
     };
 
     if (caChain) {
@@ -451,24 +442,18 @@ export const certificateTemplateServiceFactory = ({
       kmsId: certificateManagerKmsId
     });
 
-    let decryptedCaChain = "";
-    if (estConfig.encryptedCaChain) {
-      decryptedCaChain = (
-        await kmsDecryptor({
-          cipherTextBlob: estConfig.encryptedCaChain
-        })
-      ).toString();
-    }
+    const decryptedCaChain = await kmsDecryptor({
+      cipherTextBlob: estConfig.encryptedCaChain
+    });
 
     return {
       certificateTemplateId,
       id: estConfig.id,
       isEnabled: estConfig.isEnabled,
-      caChain: decryptedCaChain,
+      caChain: decryptedCaChain.toString(),
       hashedPassphrase: estConfig.hashedPassphrase,
       projectId: certTemplate.projectId,
-      orgId: certTemplate.orgId,
-      disableBootstrapCertValidation: estConfig.disableBootstrapCertValidation
+      orgId: certTemplate.orgId
     };
   };
 

backend/src/services/certificate-template/certificate-template-types.ts

@@ -34,10 +34,9 @@ export type TDeleteCertTemplateDTO = {
 
 export type TCreateEstConfigurationDTO = {
   certificateTemplateId: string;
-  caChain?: string;
+  caChain: string;
   passphrase: string;
   isEnabled: boolean;
-  disableBootstrapCertValidation: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateEstConfigurationDTO = {
@@ -45,7 +44,6 @@ export type TUpdateEstConfigurationDTO = {
   caChain?: string;
   passphrase?: string;
   isEnabled?: boolean;
-  disableBootstrapCertValidation?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TGetEstConfigurationDTO =

backend/src/services/integration-auth/integration-auth-service.ts

@@ -20,7 +20,6 @@ import { getApps } from "./integration-app-list";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
 import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
-  TBitbucketEnvironment,
   TBitbucketWorkspace,
   TChecklyGroups,
   TDeleteIntegrationAuthByIdDTO,
@@ -31,7 +30,6 @@ import {
   THerokuPipelineCoupling,
   TIntegrationAuthAppsDTO,
   TIntegrationAuthAwsKmsKeyDTO,
-  TIntegrationAuthBitbucketEnvironmentsDTO,
   TIntegrationAuthBitbucketWorkspaceDTO,
   TIntegrationAuthChecklyGroupsDTO,
   TIntegrationAuthGithubEnvsDTO,
@@ -1263,55 +1261,6 @@ export const integrationAuthServiceFactory = ({
     return workspaces;
   };
 
-  const getBitbucketEnvironments = async ({
-    workspaceSlug,
-    repoSlug,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    id
-  }: TIntegrationAuthBitbucketEnvironmentsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
-    const environments: TBitbucketEnvironment[] = [];
-    let hasNextPage = true;
-
-    let environmentsUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${workspaceSlug}/${repoSlug}/environments`;
-
-    while (hasNextPage) {
-      // eslint-disable-next-line
-      const { data }: { data: { values: TBitbucketEnvironment[]; next: string } } = await request.get(environmentsUrl, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
-      });
-
-      if (data?.values.length > 0) {
-        environments.push(...data.values);
-      }
-
-      if (data.next) {
-        environmentsUrl = data.next;
-      } else {
-        hasNextPage = false;
-      }
-    }
-    return environments;
-  };
-
   const getNorthFlankSecretGroups = async ({
     id,
     actor,
@@ -1550,7 +1499,6 @@ export const integrationAuthServiceFactory = ({
     getNorthFlankSecretGroups,
     getTeamcityBuildConfigs,
     getBitbucketWorkspaces,
-    getBitbucketEnvironments,
     getIntegrationAccessToken,
     duplicateIntegrationAuth
   };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -99,12 +99,6 @@ export type TIntegrationAuthBitbucketWorkspaceDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TIntegrationAuthBitbucketEnvironmentsDTO = {
-  workspaceSlug: string;
-  repoSlug: string;
-  id: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TIntegrationAuthNorthflankSecretGroupDTO = {
   id: string;
   appId: string;
@@ -154,13 +148,6 @@ export type TBitbucketWorkspace = {
   updated_on: string;
 };
 
-export type TBitbucketEnvironment = {
-  type: string;
-  uuid: string;
-  name: string;
-  slug: string;
-};
-
 export type TNorthflankSecretGroup = {
   id: string;
   name: string;

backend/src/services/integration-auth/integration-list.ts

@@ -334,7 +334,7 @@ export const getIntegrationOptions = async () => {
       docsLink: ""
     },
     {
-      name: "Bitbucket",
+      name: "BitBucket",
       slug: "bitbucket",
       image: "BitBucket.png",
       isAvailable: true,

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -3631,14 +3631,7 @@ const syncSecretsBitBucket = async ({
   const res: { [key: string]: BitbucketVariable } = {};
 
   let hasNextPage = true;
-
-  const rootUrl = integration.targetServiceId
-    ? // scope: deployment environment
-      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/deployments_config/environments/${integration.targetServiceId}/variables`
-    : // scope: repository
-      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/pipelines_config/variables`;
-
-  let variablesUrl = rootUrl;
+  let variablesUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/pipelines_config/variables`;
 
   while (hasNextPage) {
     const { data }: { data: VariablesResponse } = await request.get(variablesUrl, {
@@ -3665,7 +3658,7 @@ const syncSecretsBitBucket = async ({
     if (key in res) {
       // update existing secret
       await request.put(
-        `${rootUrl}/${res[key].uuid}`,
+        `${variablesUrl}/${res[key].uuid}`,
         {
           key,
           value: secrets[key].value,
@@ -3681,7 +3674,7 @@ const syncSecretsBitBucket = async ({
     } else {
       // create new secret
       await request.post(
-        rootUrl,
+        variablesUrl,
         {
           key,
           value: secrets[key].value,

backend/src/services/kms/kms-fns.ts

@@ -1,5 +1,7 @@
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 
+export const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+
 export const getByteLengthForAlgorithm = (encryptionAlgorithm: SymmetricEncryption) => {
   switch (encryptionAlgorithm) {
     case SymmetricEncryption.AES_GCM_128:

backend/src/services/kms/kms-service.ts

@@ -2,13 +2,14 @@ import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";
 import { z } from "zod";
 
-import { KmsKeysSchema } from "@app/db/schemas";
+import { KmsKeysSchema, TKmsRootConfig } from "@app/db/schemas";
 import { AwsKmsProviderFactory } from "@app/ee/services/external-kms/providers/aws-kms";
 import {
   ExternalKmsAwsSchema,
   KmsProviders,
   TExternalKmsProviderFns
 } from "@app/ee/services/external-kms/providers/model";
+import { THsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
@@ -17,7 +18,7 @@ import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { getByteLengthForAlgorithm } from "@app/services/kms/kms-fns";
+import { getByteLengthForAlgorithm, KMS_ROOT_CONFIG_UUID } from "@app/services/kms/kms-fns";
 
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -27,6 +28,7 @@ import { TKmsRootConfigDALFactory } from "./kms-root-config-dal";
 import {
   KmsDataKey,
   KmsType,
+  RootKeyEncryptionStrategy,
   TDecryptWithKeyDTO,
   TDecryptWithKmsDTO,
   TEncryptionWithKeyDTO,
@@ -40,15 +42,14 @@ type TKmsServiceFactoryDep = {
   kmsDAL: TKmsKeyDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findById" | "updateById" | "transaction">;
   orgDAL: Pick<TOrgDALFactory, "findById" | "updateById" | "transaction">;
-  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create">;
+  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create" | "updateById">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "waitTillReady" | "setItemWithExpiry">;
   internalKmsDAL: Pick<TInternalKmsDALFactory, "create">;
+  hsmService: THsmServiceFactory;
 };
 
 export type TKmsServiceFactory = ReturnType<typeof kmsServiceFactory>;
 
-const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-
 const KMS_ROOT_CREATION_WAIT_KEY = "wait_till_ready_kms_root_key";
 const KMS_ROOT_CREATION_WAIT_TIME = 10;
 
@@ -63,7 +64,8 @@ export const kmsServiceFactory = ({
   keyStore,
   internalKmsDAL,
   orgDAL,
-  projectDAL
+  projectDAL,
+  hsmService
 }: TKmsServiceFactoryDep) => {
   let ROOT_ENCRYPTION_KEY = Buffer.alloc(0);
 
@@ -610,6 +612,65 @@ export const kmsServiceFactory = ({
     }
   };
 
+  const $getBasicEncryptionKey = () => {
+    const appCfg = getConfig();
+
+    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
+    const isBase64 = !appCfg.ENCRYPTION_KEY;
+    if (!encryptionKey)
+      throw new Error(
+        "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"
+      );
+
+    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
+    return encryptionKeyBuffer;
+  };
+
+  const $decryptRootKey = async (kmsRootConfig: TKmsRootConfig) => {
+    // case 1: root key is encrypted with HSM
+    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.HSM) {
+      const hsmIsActive = await hsmService.isActive();
+      if (!hsmIsActive) {
+        throw new Error("Unable to decrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
+      }
+
+      const decryptedKey = await hsmService.decrypt(kmsRootConfig.encryptedRootKey);
+      return decryptedKey;
+    }
+
+    // case 2: root key is encrypted with software encryption
+    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.Software) {
+      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+      const encryptionKeyBuffer = $getBasicEncryptionKey();
+
+      return cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+    }
+
+    throw new Error(`Invalid root key encryption strategy: ${kmsRootConfig.encryptionStrategy}`);
+  };
+
+  const $encryptRootKey = async (plainKeyBuffer: Buffer, strategy: RootKeyEncryptionStrategy) => {
+    if (strategy === RootKeyEncryptionStrategy.HSM) {
+      const hsmIsActive = await hsmService.isActive();
+      if (!hsmIsActive) {
+        throw new Error("Unable to encrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
+      }
+      const encrypted = await hsmService.encrypt(plainKeyBuffer);
+      return encrypted;
+    }
+
+    if (strategy === RootKeyEncryptionStrategy.Software) {
+      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+      const encryptionKeyBuffer = $getBasicEncryptionKey();
+
+      return cipher.encrypt(plainKeyBuffer, encryptionKeyBuffer);
+    }
+
+    // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+    throw new Error(`Invalid root key encryption strategy: ${strategy}`);
+  };
+
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
   // NOTICE: If changing here update migrations/utils/kms
@@ -771,7 +832,6 @@ export const kmsServiceFactory = ({
         },
         tx
       );
-
       return kmsDAL.findByIdWithAssociatedKms(key.id, tx);
     });
 
@@ -794,14 +854,6 @@ export const kmsServiceFactory = ({
 
   // akhilmhdh: a copy of this is made in migrations/utils/kms
   const startService = async () => {
-    const appCfg = getConfig();
-    // This will switch to a seal process and HMS flow in future
-    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
-    // if root key its base64 encoded
-    const isBase64 = !appCfg.ENCRYPTION_KEY;
-    if (!encryptionKey) throw new Error("Root encryption key not found for KMS service.");
-    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
     const lock = await keyStore.acquireLock([`KMS_ROOT_CFG_LOCK`], 3000, { retryCount: 3 }).catch(() => null);
     if (!lock) {
       await keyStore.waitTillReady({
@@ -813,31 +865,69 @@ export const kmsServiceFactory = ({
 
     // check if KMS root key was already generated and saved in DB
     const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    // case 1: a root key already exists in the DB
     if (kmsRootConfig) {
       if (lock) await lock.release();
-      logger.info("KMS: Encrypted ROOT Key found from DB. Decrypting.");
-      const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-      // set the flag so that other instancen nodes can start
+      logger.info(`KMS: Encrypted ROOT Key found from DB. Decrypting. [strategy=${kmsRootConfig.encryptionStrategy}]`);
+
+      const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
+
+      // set the flag so that other instance nodes can start
       await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
       logger.info("KMS: Loading ROOT Key into Memory.");
       ROOT_ENCRYPTION_KEY = decryptedRootKey;
       return;
     }
 
-    logger.info("KMS: Generating ROOT Key");
+    // case 2: no config is found, so we create a new root key with basic encryption
+    logger.info("KMS: Generating new ROOT Key");
     const newRootKey = randomSecureBytes(32);
-    const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-    // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
-    await kmsRootConfigDAL.create({ encryptedRootKey, id: KMS_ROOT_CONFIG_UUID });
+    const encryptedRootKey = await $encryptRootKey(newRootKey, RootKeyEncryptionStrategy.Software).catch((err) => {
+      logger.error({ hsmEnabled: hsmService.isActive() }, "KMS: Failed to encrypt ROOT Key");
+      throw err;
+    });
 
-    // set the flag so that other instancen nodes can start
+    await kmsRootConfigDAL.create({
+      // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
+      id: KMS_ROOT_CONFIG_UUID,
+      encryptedRootKey,
+      encryptionStrategy: RootKeyEncryptionStrategy.Software
+    });
+
+    // set the flag so that other instance nodes can start
     await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
     logger.info("KMS: Saved and loaded ROOT Key into memory");
     if (lock) await lock.release();
     ROOT_ENCRYPTION_KEY = newRootKey;
   };
 
+  const updateEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
+    const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
+    if (!kmsRootConfig) {
+      throw new NotFoundError({ message: "KMS root config not found" });
+    }
+
+    if (kmsRootConfig.encryptionStrategy === strategy) {
+      return;
+    }
+
+    const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
+    const encryptedRootKey = await $encryptRootKey(decryptedRootKey, strategy);
+
+    if (!encryptedRootKey) {
+      logger.error("KMS: Failed to re-encrypt ROOT Key with selected strategy");
+      throw new Error("Failed to re-encrypt ROOT Key with selected strategy");
+    }
+
+    await kmsRootConfigDAL.updateById(KMS_ROOT_CONFIG_UUID, {
+      encryptedRootKey,
+      encryptionStrategy: strategy
+    });
+
+    ROOT_ENCRYPTION_KEY = decryptedRootKey;
+  };
+
   return {
     startService,
     generateKmsKey,
@@ -849,6 +939,7 @@ export const kmsServiceFactory = ({
     encryptWithRootKey,
     decryptWithRootKey,
     getOrgKmsKeyId,
+    updateEncryptionStrategy,
     getProjectSecretManagerKmsKeyId,
     updateProjectSecretManagerKmsKey,
     getProjectKeyBackup,

backend/src/services/kms/kms-types.ts

@@ -56,3 +56,8 @@ export type TUpdateProjectSecretManagerKmsKeyDTO = {
   projectId: string;
   kms: { type: KmsType.Internal } | { type: KmsType.External; kmsId: string };
 };
+
+export enum RootKeyEncryptionStrategy {
+  Software = "SOFTWARE",
+  HSM = "HSM"
+}

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -6,7 +6,6 @@ import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { groupBy, removeTrailingSlash } from "@app/lib/fn";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
-import { isValidSecretPath } from "@app/lib/validator";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { TFindFoldersDeepByParentIdsDTO } from "./secret-folder-types";
@@ -215,12 +214,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
   const secretFolderOrm = ormify(db, TableName.SecretFolder);
 
   const findBySecretPath = async (projectId: string, environment: string, path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const folder = await sqlFindFolderByPathQuery(
         tx || db.replicaNode(),
@@ -243,12 +236,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
 
   // finds folders by path for multiple envs
   const findBySecretPathMultiEnv = async (projectId: string, environments: string[], path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const pathDepth = removeTrailingSlash(path).split("/").filter(Boolean).length + 1;
 
@@ -280,12 +267,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
   // even if its the original given /path1/path2
   // it will stop automatically at /path2
   const findClosestFolder = async (projectId: string, environment: string, path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const folder = await sqlFindFolderByPathQuery(
         tx || db.replicaNode(),

backend/src/services/secret-folder/secret-folder-service.ts

@@ -19,7 +19,6 @@ import {
   TGetFolderDTO,
   TGetFoldersDeepByEnvsDTO,
   TUpdateFolderDTO,
-  TUpdateFolderPathDTO,
   TUpdateManyFoldersDTO
 } from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
@@ -330,145 +329,6 @@ export const secretFolderServiceFactory = ({
     return { folder: newFolder, old: folder };
   };
 
-  const moveFolder = async ({
-    folderId,
-    newPath: secretPath,
-    projectId,
-    actor,
-    actorAuthMethod,
-    actorId,
-    actorOrgId
-  }: TUpdateFolderPathDTO) => {
-    const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
-
-    if (!folder) {
-      throw new NotFoundError({ message: `Folder with ID '${folderId}' not found` });
-    }
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    // Has permission for source folder
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.SecretFolders, { environment: folder.environmentSlug, secretPath: folder.path })
-    );
-
-    // Has permission for destination folder
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.SecretFolders, { environment: folder.environmentSlug, secretPath })
-    );
-
-    if (!folder.parentId) {
-      throw new BadRequestError({ message: `Cannot move root folder` });
-    }
-
-    const parentFolder = await folderDAL.findById(folder.parentId);
-
-    if (!parentFolder) {
-      throw new NotFoundError({ message: `Parent folder with ID '${folder.parentId}' not found` });
-    }
-
-    if (secretPath !== "/") {
-      const newPathSegments = secretPath.split("/").filter(Boolean);
-
-      if (newPathSegments.length === 0) {
-        throw new BadRequestError({ message: `Invalid new path '${secretPath}'` });
-      }
-    }
-
-    if (secretPath === folder.path) {
-      return folder;
-    }
-
-    const existingFolder = await folderDAL.findBySecretPath(
-      projectId,
-      folder.environmentSlug,
-      `${secretPath}/${folder.name}`
-    );
-
-    if (existingFolder) {
-      throw new BadRequestError({
-        message: `Folder with name '${existingFolder.name}' already exists in the new path '${secretPath}'`
-      });
-    }
-
-    const movedFolder = await folderDAL.transaction(async (tx) => {
-      const newParentFolder = await folderDAL.findClosestFolder(projectId, folder.environmentSlug, secretPath, tx);
-
-      if (!newParentFolder) {
-        throw new NotFoundError({ message: `Parent folder with path '${secretPath}' not found` });
-      }
-
-      let parentFolderId = newParentFolder.id;
-
-      // create any missing intermediate folders in the new path
-      if (newParentFolder.path !== secretPath) {
-        const missingSegments = secretPath.substring(newParentFolder.path.length).split("/").filter(Boolean);
-        if (missingSegments.length) {
-          const newFolders: Array<TSecretFoldersInsert & { id: string }> = missingSegments.map((segment) => {
-            const newFolder = {
-              name: segment,
-              parentId: parentFolderId,
-              id: uuidv4(),
-              envId: folder.envId,
-              version: 1
-            };
-            parentFolderId = newFolder.id;
-            return newFolder;
-          });
-
-          parentFolderId = newFolders.at(-1)?.id as string;
-          const docs = await folderDAL.insertMany(newFolders, tx);
-          await folderVersionDAL.insertMany(
-            docs.map((doc) => ({
-              name: doc.name,
-              envId: doc.envId,
-              version: doc.version,
-              folderId: doc.id
-            })),
-            tx
-          );
-        }
-      }
-
-      if (parentFolderId === folder.id) {
-        throw new BadRequestError({ message: `Cannot move folder into itself` });
-      }
-
-      // update the folder's parent id to point to the new location
-      const [updatedFolder] = await folderDAL.update(
-        { id: folder.id },
-        {
-          parentId: parentFolderId,
-          version: (folder.version || 0) + 1
-        },
-        tx
-      );
-
-      // create a new version record
-      await folderVersionDAL.create(
-        {
-          name: updatedFolder.name,
-          envId: updatedFolder.envId,
-          version: updatedFolder.version,
-          folderId: updatedFolder.id
-        },
-        tx
-      );
-
-      return updatedFolder;
-    });
-
-    await snapshotService.performSnapshot(movedFolder.id);
-    return movedFolder;
-  };
-
   const deleteFolder = async ({
     projectId,
     actor,
@@ -680,7 +540,6 @@ export const secretFolderServiceFactory = ({
     createFolder,
     updateFolder,
     updateManyFolders,
-    moveFolder,
     deleteFolder,
     getFolders,
     getFolderById,

backend/src/services/secret-folder/secret-folder-types.ts

@@ -18,11 +18,6 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
-export type TUpdateFolderPathDTO = {
-  folderId: string;
-  newPath: string;
-} & TProjectPermission;
-
 export type TUpdateManyFoldersDTO = {
   projectSlug: string;
   folders: {

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -10,9 +10,9 @@ import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
 
-const INTERPOLATION_SYNTAX_REG = /\${([a-zA-Z0-9-_.]+)}/g;
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
 // akhilmhdh: JS regex with global save state in .test
-const INTERPOLATION_SYNTAX_REG_NON_GLOBAL = /\${([a-zA-Z0-9-_.]+)}/;
+const INTERPOLATION_SYNTAX_REG_NON_GLOBAL = /\${([^}]+)}/;
 
 export const shouldUseSecretV2Bridge = (version: number) => version === 3;
 

backend/src/services/super-admin/super-admin-service.ts

@@ -10,7 +10,10 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
 import { AuthMethod } from "../auth/auth-type";
+import { KMS_ROOT_CONFIG_UUID } from "../kms/kms-fns";
+import { TKmsRootConfigDALFactory } from "../kms/kms-root-config-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { RootKeyEncryptionStrategy } from "../kms/kms-types";
 import { TOrgServiceFactory } from "../org/org-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
@@ -20,7 +23,8 @@ type TSuperAdminServiceFactoryDep = {
   serverCfgDAL: TSuperAdminDALFactory;
   userDAL: TUserDALFactory;
   authService: Pick<TAuthLoginFactory, "generateUserTokens">;
-  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey">;
+  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
+  kmsRootConfigDAL: TKmsRootConfigDALFactory;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
   keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">;
@@ -47,6 +51,7 @@ export const superAdminServiceFactory = ({
   authService,
   orgService,
   keyStore,
+  kmsRootConfigDAL,
   kmsService,
   licenseService
 }: TSuperAdminServiceFactoryDep) => {
@@ -288,12 +293,70 @@ export const superAdminServiceFactory = ({
     };
   };
 
+  const getConfiguredEncryptionStrategies = async () => {
+    const appCfg = getConfig();
+
+    const kmsRootCfg = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
+
+    if (!kmsRootCfg) {
+      throw new NotFoundError({ name: "KmsRootConfig", message: "KMS root configuration not found" });
+    }
+
+    const selectedStrategy = kmsRootCfg.encryptionStrategy;
+    const enabledStrategies: { enabled: boolean; strategy: RootKeyEncryptionStrategy }[] = [];
+
+    if (appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY) {
+      const basicStrategy = RootKeyEncryptionStrategy.Software;
+
+      enabledStrategies.push({
+        enabled: selectedStrategy === basicStrategy,
+        strategy: basicStrategy
+      });
+    }
+    if (appCfg.isHsmConfigured) {
+      const hsmStrategy = RootKeyEncryptionStrategy.HSM;
+
+      enabledStrategies.push({
+        enabled: selectedStrategy === hsmStrategy,
+        strategy: hsmStrategy
+      });
+    }
+
+    return {
+      strategies: enabledStrategies
+    };
+  };
+
+  const updateRootEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
+    if (!licenseService.onPremFeatures.hsm) {
+      throw new BadRequestError({
+        message: "Failed to update encryption strategy due to plan restriction. Upgrade to Infisical's Enterprise plan."
+      });
+    }
+
+    const configuredStrategies = await getConfiguredEncryptionStrategies();
+
+    const foundStrategy = configuredStrategies.strategies.find((s) => s.strategy === strategy);
+
+    if (!foundStrategy) {
+      throw new BadRequestError({ message: "Invalid encryption strategy" });
+    }
+
+    if (foundStrategy.enabled) {
+      throw new BadRequestError({ message: "The selected encryption strategy is already enabled" });
+    }
+
+    await kmsService.updateEncryptionStrategy(strategy);
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
     adminSignUp,
     getUsers,
     deleteUser,
-    getAdminSlackConfig
+    getAdminSlackConfig,
+    updateRootEncryptionStrategy,
+    getConfiguredEncryptionStrategies
   };
 };

cli/packages/api/model.go

@@ -136,8 +136,8 @@ type GetOrganizationsResponse struct {
 }
 
 type SelectOrganizationResponse struct {
-	Token string `json:"token"`
-	MfaEnabled bool `json:"isMfaEnabled"`
+	Token      string `json:"token"`
+	MfaEnabled bool   `json:"isMfaEnabled"`
 }
 
 type SelectOrganizationRequest struct {

docs/documentation/platform/pki/est.mdx

@@ -35,7 +35,6 @@ These endpoints are exposed on port 8443 under the .well-known/est path e.g.
 
    ![est enrollment modal create](/images/platform/pki/est/template-enrollment-modal.png)
 
-   - **Disable Bootstrap Certificate Validation** - Enable this if your devices are not configured with a bootstrap certificate.
    - **Certificate Authority Chain** - This is the certificate chain used to validate your devices' manufacturing/pre-installed certificates. This will be used to authenticate your devices with Infisical's EST server.
    - **Passphrase** - This is also used to authenticate your devices with Infisical's EST server. When configuring the clients, use the value defined here as the EST password.
 

docs/integrations/cicd/bitbucket.mdx

@@ -3,37 +3,29 @@ title: "Bitbucket"
 description: "How to sync secrets from Infisical to Bitbucket"
 ---
 
-Infisical lets you sync secrets to Bitbucket at the repository-level and deployment environment-level.
-
-
 Prerequisites:
 
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
 
 <AccordionGroup>
   <Accordion title="Push secrets to Bitbucket from Infisical">
-      <Steps>
-          <Step title="Authorize Infisical for Bitbucket">
-              Navigate to your project's integrations tab in Infisical.
+    <Steps>
+      <Step title="Authorize Infisical for Bitbucket">
+        Navigate to your project's integrations tab in Infisical.
 
-              ![integrations](/images/integrations.png)
+        ![integrations](../../images/integrations.png)
 
-              Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
+        Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
 
-              ![integrations bitbucket authorization](/images/integrations/bitbucket/integrations-bitbucket.png)
-          </Step>
-          <Step title='Configure integration'>
-              Select which workspace, repository, and optionally, deployment environment, you'd like to sync your secrets
-              to.
-              ![integrations configure
-              bitbucket](/images/integrations/bitbucket/integrations-bitbucket-configuration.png)
+        ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)
 
-              Once created, your integration will begin syncing secrets to the configured repository or deployment
-              environment.
+      </Step>
+      <Step title="Start integration">
+        Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
 
-              ![integrations bitbucket](/images/integrations/bitbucket/integrations-bitbucket.png)
-          </Step>
-      </Steps>
+        ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
+      </Step>
+    </Steps>
 
   </Accordion>
   <Accordion title="Pull secrets in Bitbucket pipelines from Infisical">
@@ -44,7 +36,7 @@ Prerequisites:
       <Step title="Initialize Bitbucket variables">
       Create Bitbucket variables (can be either workspace, repository, or deployment-level) to store Machine Identity Client ID and Client Secret.
       
-      ![integrations bitbucket](/images/integrations/bitbucket/integrations-bitbucket-env.png)
+      ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket-env.png)
       </Step>
       <Step title="Integrate Infisical secrets into the pipeline">
         Edit your Bitbucket pipeline YAML file to include the use of the Infisical CLI to fetch and inject secrets into any script or command within the pipeline.

frontend/public/data/frequentConstants.ts

@@ -28,7 +28,7 @@ const integrationSlugNameMapping: Mapping = {
   "cloudflare-workers": "Cloudflare Workers",
   codefresh: "Codefresh",
   "digital-ocean-app-platform": "Digital Ocean App Platform",
-  bitbucket: "Bitbucket",
+  bitbucket: "BitBucket",
   "cloud-66": "Cloud 66",
   northflank: "Northflank",
   windmill: "Windmill",

frontend/src/components/v2/FilterableSelect/index.tsx

@@ -1 +0,0 @@
-export * from "./FilterableSelect";

frontend/src/components/v2/MultiSelect/MultiSelect.tsx

@@ -7,11 +7,11 @@ import Select, {
   Props
 } from "react-select";
 import { faCheckCircle, faCircleXmark } from "@fortawesome/free-regular-svg-icons";
-import { faChevronDown, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { faChevronDown, faX } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { twMerge } from "tailwind-merge";
 
-const DropdownIndicator = <T,>(props: DropdownIndicatorProps<T>) => {
+const DropdownIndicator = (props: DropdownIndicatorProps) => {
   return (
     <components.DropdownIndicator {...props}>
       <FontAwesomeIcon icon={faChevronDown} size="xs" />
@@ -19,7 +19,7 @@ const DropdownIndicator = <T,>(props: DropdownIndicatorProps<T>) => {
   );
 };
 
-const ClearIndicator = <T,>(props: ClearIndicatorProps<T>) => {
+const ClearIndicator = (props: ClearIndicatorProps) => {
   return (
     <components.ClearIndicator {...props}>
       <FontAwesomeIcon icon={faCircleXmark} />
@@ -30,12 +30,12 @@ const ClearIndicator = <T,>(props: ClearIndicatorProps<T>) => {
 const MultiValueRemove = (props: MultiValueRemoveProps) => {
   return (
     <components.MultiValueRemove {...props}>
-      <FontAwesomeIcon icon={faXmark} size="xs" />
+      <FontAwesomeIcon icon={faX} size="xs" />
     </components.MultiValueRemove>
   );
 };
 
-const Option = <T,>({ isSelected, children, ...props }: OptionProps<T>) => {
+const Option = ({ isSelected, children, ...props }: OptionProps) => {
   return (
     <components.Option isSelected={isSelected} {...props}>
       {children}
@@ -46,10 +46,10 @@ const Option = <T,>({ isSelected, children, ...props }: OptionProps<T>) => {
   );
 };
 
-export const FilterableSelect = <T,>({ isMulti, closeMenuOnSelect, ...props }: Props<T>) => (
+export const MultiSelect = (props: Props) => (
   <Select
-    isMulti={isMulti}
-    closeMenuOnSelect={closeMenuOnSelect ?? !isMulti}
+    isMulti
+    closeMenuOnSelect={false}
     hideSelectedOptions={false}
     unstyled
     styles={{
@@ -75,11 +75,11 @@ export const FilterableSelect = <T,>({ isMulti, closeMenuOnSelect, ...props }: P
       control: ({ isFocused }) =>
         twMerge(
           isFocused ? "border-primary-400/50" : "border-mineshaft-600 hover:border-gray-400",
-          "border w-full p-0.5 rounded-md text-mineshaft-200 font-inter bg-mineshaft-900 hover:cursor-pointer"
+          "border w-full p-0.5 rounded-md font-inter bg-mineshaft-900 hover:cursor-pointer"
         ),
       placeholder: () => "text-mineshaft-400 text-sm pl-1 py-0.5",
       input: () => "pl-1 py-0.5",
-      valueContainer: () => `p-1 max-h-[14rem] ${isMulti ? "!overflow-y-scroll" : ""} gap-1`,
+      valueContainer: () => "p-1 max-h-[14rem] !overflow-y-scroll gap-1",
       singleValue: () => "leading-7 ml-1",
       multiValue: () => "bg-mineshaft-600 rounded items-center py-0.5 px-2 gap-1.5",
       multiValueLabel: () => "leading-6 text-sm",
@@ -94,7 +94,7 @@ export const FilterableSelect = <T,>({ isMulti, closeMenuOnSelect, ...props }: P
       option: ({ isFocused, isSelected }) =>
         twMerge(
           isFocused && "bg-mineshaft-700 active:bg-mineshaft-600",
-          isSelected && "text-mineshaft-200",
+          isSelected && "text-mineshaft-400",
           "hover:cursor-pointer text-xs px-3 py-2"
         ),
       noOptionsMessage: () => "text-mineshaft-400 p-2 rounded-md"

frontend/src/components/v2/MultiSelect/index.tsx

@@ -0,0 +1 @@
+export * from "./MultiSelect";

frontend/src/components/v2/SecretInput/SecretInput.tsx

@@ -4,7 +4,7 @@ import { twMerge } from "tailwind-merge";
 
 import { useToggle } from "@app/hooks";
 
-const REGEX = /(\${([a-zA-Z0-9-_.]+)})/g;
+const REGEX = /(\${([^}]+)})/g;
 const replaceContentWithDot = (str: string) => {
   let finalStr = "";
   for (let i = 0; i < str.length; i += 1) {

frontend/src/components/v2/index.tsx

@@ -11,7 +11,6 @@ export * from "./Drawer";
 export * from "./Dropdown";
 export * from "./EmailServiceSetupModal";
 export * from "./EmptyState";
-export * from "./FilterableSelect";
 export * from "./FontAwesomeSymbol";
 export * from "./FormControl";
 export * from "./HoverCardv2";
@@ -19,6 +18,7 @@ export * from "./IconButton";
 export * from "./Input";
 export * from "./Menu";
 export * from "./Modal";
+export * from "./MultiSelect";
 export * from "./NoticeBanner";
 export * from "./Pagination";
 export * from "./Popoverv2";

frontend/src/hooks/api/admin/index.ts

@@ -2,6 +2,12 @@ export {
   useAdminDeleteUser,
   useCreateAdminUser,
   useUpdateAdminSlackConfig,
-  useUpdateServerConfig
+  useUpdateServerConfig,
+  useUpdateServerEncryptionStrategy
 } from "./mutation";
-export { useAdminGetUsers, useGetAdminSlackConfig, useGetServerConfig } from "./queries";
+export {
+  useAdminGetUsers,
+  useGetAdminSlackConfig,
+  useGetServerConfig,
+  useGetServerRootKmsEncryptionDetails
+} from "./queries";

frontend/src/hooks/api/admin/mutation.ts

@@ -7,6 +7,7 @@ import { User } from "../users/types";
 import { adminQueryKeys, adminStandaloneKeys } from "./queries";
 import {
   AdminSlackConfig,
+  RootKeyEncryptionStrategy,
   TCreateAdminUserDTO,
   TServerConfig,
   TUpdateAdminSlackConfigDTO
@@ -85,3 +86,15 @@ export const useUpdateAdminSlackConfig = () => {
     }
   });
 };
+
+export const useUpdateServerEncryptionStrategy = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async (strategy: RootKeyEncryptionStrategy) => {
+      await apiRequest.patch("/api/v1/admin/encryption-strategies", { strategy });
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(adminQueryKeys.getServerEncryptionStrategies());
+    }
+  });
+};

frontend/src/hooks/api/admin/queries.ts

@@ -3,7 +3,12 @@ import { useInfiniteQuery, useQuery, UseQueryOptions } from "@tanstack/react-que
 import { apiRequest } from "@app/config/request";
 
 import { User } from "../types";
-import { AdminGetUsersFilters, AdminSlackConfig, TServerConfig } from "./types";
+import {
+  AdminGetUsersFilters,
+  AdminSlackConfig,
+  TGetServerRootKmsEncryptionDetails,
+  TServerConfig
+} from "./types";
 
 export const adminStandaloneKeys = {
   getUsers: "get-users"
@@ -12,7 +17,8 @@ export const adminStandaloneKeys = {
 export const adminQueryKeys = {
   serverConfig: () => ["server-config"] as const,
   getUsers: (filters: AdminGetUsersFilters) => [adminStandaloneKeys.getUsers, { filters }] as const,
-  getAdminSlackConfig: () => ["admin-slack-config"] as const
+  getAdminSlackConfig: () => ["admin-slack-config"] as const,
+  getServerEncryptionStrategies: () => ["server-encryption-strategies"] as const
 };
 
 const fetchServerConfig = async () => {
@@ -61,8 +67,8 @@ export const useAdminGetUsers = (filters: AdminGetUsersFilters) => {
   });
 };
 
-export const useGetAdminSlackConfig = () =>
-  useQuery({
+export const useGetAdminSlackConfig = () => {
+  return useQuery({
     queryKey: adminQueryKeys.getAdminSlackConfig(),
     queryFn: async () => {
       const { data } = await apiRequest.get<AdminSlackConfig>(
@@ -72,3 +78,17 @@ export const useGetAdminSlackConfig = () =>
       return data;
     }
   });
+};
+
+export const useGetServerRootKmsEncryptionDetails = () => {
+  return useQuery({
+    queryKey: adminQueryKeys.getServerEncryptionStrategies(),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TGetServerRootKmsEncryptionDetails>(
+        "/api/v1/admin/encryption-strategies"
+      );
+
+      return data;
+    }
+  });
+};

frontend/src/hooks/api/admin/types.ts

@@ -54,3 +54,15 @@ export type AdminSlackConfig = {
   clientId: string;
   clientSecret: string;
 };
+
+export type TGetServerRootKmsEncryptionDetails = {
+  strategies: {
+    strategy: RootKeyEncryptionStrategy;
+    enabled: boolean;
+  }[];
+};
+
+export enum RootKeyEncryptionStrategy {
+  Software = "SOFTWARE",
+  HSM = "HSM"
+}

frontend/src/hooks/api/certificateTemplates/types.ts

@@ -46,10 +46,9 @@ export type TDeleteCertificateTemplateDTO = {
 
 export type TCreateEstConfigDTO = {
   certificateTemplateId: string;
-  caChain?: string;
+  caChain: string;
   passphrase: string;
   isEnabled: boolean;
-  disableBootstrapCertValidation: boolean;
 };
 
 export type TUpdateEstConfigDTO = {
@@ -57,13 +56,11 @@ export type TUpdateEstConfigDTO = {
   caChain?: string;
   passphrase?: string;
   isEnabled?: boolean;
-  disableBootstrapCertValidation?: boolean;
 };
 
 export type TEstConfig = {
   id: string;
   certificateTemplateId: string;
   caChain: string;
-  isEnabled: boolean;
-  disableBootstrapCertValidation: boolean;
+  isEnabled: false;
 };

frontend/src/hooks/api/integrationAuth/queries.tsx

@@ -1,11 +1,10 @@
-import { useMutation, useQuery, useQueryClient, UseQueryOptions } from "@tanstack/react-query";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
 import { workspaceKeys } from "../workspace";
 import {
   App,
-  BitBucketEnvironment,
   BitBucketWorkspace,
   ChecklyGroup,
   Environment,
@@ -95,17 +94,6 @@ const integrationAuthKeys = {
   }) => [{ integrationAuthId, appId }, "integrationAuthRailwayServices"] as const,
   getIntegrationAuthBitBucketWorkspaces: (integrationAuthId: string) =>
     [{ integrationAuthId }, "integrationAuthBitbucketWorkspaces"] as const,
-  getIntegrationAuthBitBucketEnvironments: (
-    integrationAuthId: string,
-    workspaceSlug: string,
-    repoSlug: string
-  ) =>
-    [
-      { integrationAuthId },
-      workspaceSlug,
-      repoSlug,
-      "integrationAuthBitbucketEnvironments"
-    ] as const,
   getIntegrationAuthNorthflankSecretGroups: ({
     integrationAuthId,
     appId
@@ -415,25 +403,6 @@ const fetchIntegrationAuthBitBucketWorkspaces = async (integrationAuthId: string
   return workspaces;
 };
 
-const fetchIntegrationAuthBitBucketEnvironments = async (
-  integrationAuthId: string,
-  workspaceSlug: string,
-  repoSlug: string
-) => {
-  const {
-    data: { environments }
-  } = await apiRequest.get<{ environments: BitBucketEnvironment[] }>(
-    `/api/v1/integration-auth/${integrationAuthId}/bitbucket/environments`,
-    {
-      params: {
-        workspaceSlug,
-        repoSlug
-      }
-    }
-  );
-  return environments;
-};
-
 const fetchIntegrationAuthNorthflankSecretGroups = async ({
   integrationAuthId,
   appId
@@ -758,30 +727,6 @@ export const useGetIntegrationAuthBitBucketWorkspaces = (integrationAuthId: stri
   });
 };
 
-export const useGetIntegrationAuthBitBucketEnvironments = (
-  {
-    integrationAuthId,
-    workspaceSlug,
-    repoSlug
-  }: {
-    integrationAuthId: string;
-    workspaceSlug: string;
-    repoSlug: string;
-  },
-  options?: UseQueryOptions<BitBucketEnvironment[]>
-) => {
-  return useQuery({
-    queryKey: integrationAuthKeys.getIntegrationAuthBitBucketEnvironments(
-      integrationAuthId,
-      workspaceSlug,
-      repoSlug
-    ),
-    queryFn: () =>
-      fetchIntegrationAuthBitBucketEnvironments(integrationAuthId, workspaceSlug, repoSlug),
-    ...options
-  });
-};
-
 export const useGetIntegrationAuthNorthflankSecretGroups = ({
   integrationAuthId,
   appId

frontend/src/hooks/api/integrationAuth/types.ts

@@ -79,12 +79,6 @@ export type BitBucketWorkspace = {
   slug: string;
 };
 
-export type BitBucketEnvironment = {
-  uuid: string;
-  name: string;
-  slug: string;
-};
-
 export type NorthflankSecretGroup = {
   name: string;
   groupId: string;

frontend/src/hooks/api/subscriptions/types.ts

@@ -23,6 +23,7 @@ export type SubscriptionPlan = {
   workspacesUsed: number;
   environmentLimit: number;
   samlSSO: boolean;
+  hsm: boolean;
   oidcSSO: boolean;
   scim: boolean;
   ldap: boolean;

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -282,7 +282,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
   );
 
   const { data: projectTemplates = [] } = useListProjectTemplates({
-    enabled: Boolean(canReadProjectTemplates && subscription?.projectTemplates)
+    enabled: canReadProjectTemplates && subscription?.projectTemplates
   });
 
   const onCreateProject = async ({ name, addMembers, kmsKeyId, template }: TAddProjectFormData) => {

frontend/src/pages/integrations/bitbucket/create.tsx

@@ -1,300 +1,196 @@
-import { useEffect } from "react";
-import { Controller, useForm } from "react-hook-form";
-import { SiBitbucket } from "react-icons/si";
+import { useEffect, useState } from "react";
 import { useRouter } from "next/router";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
+import queryString from "query-string";
+
+import { useCreateIntegration } from "@app/hooks/api";
 
-import { createNotification } from "@app/components/notifications";
 import {
   Button,
   Card,
   CardTitle,
-  FilterableSelect,
   FormControl,
   Input,
-  Spinner
-} from "@app/components/v2";
-import { useWorkspace } from "@app/context";
+  Select,
+  SelectItem
+} from "../../../components/v2";
 import {
-  useCreateIntegration,
   useGetIntegrationAuthApps,
-  useGetIntegrationAuthBitBucketWorkspaces
-} from "@app/hooks/api";
-import { useGetIntegrationAuthBitBucketEnvironments } from "@app/hooks/api/integrationAuth/queries";
-
-enum BitbucketScope {
-  Repo = "repo",
-  Env = "environment"
-}
-
-const ScopeOptions = [
-  {
-    label: "Repository",
-    value: BitbucketScope.Repo
-  },
-  {
-    label: "Deployment Environment",
-    value: BitbucketScope.Env
-  }
-];
-
-const formSchema = z
-  .object({
-    secretPath: z.string().default("/"),
-    sourceEnvironment: z.object({ name: z.string(), slug: z.string() }),
-    targetRepo: z.object({ name: z.string(), appId: z.string() }),
-    targetWorkspace: z.object({ name: z.string(), slug: z.string() }),
-    targetEnvironment: z.object({ name: z.string(), uuid: z.string() }).optional(),
-    scope: z.object({ label: z.string(), value: z.nativeEnum(BitbucketScope) })
-  })
-  .superRefine((val, ctx) => {
-    if (val.scope.value === BitbucketScope.Env && !val.targetEnvironment) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["targetEnvironment"],
-        message: "Required"
-      });
-    }
-  });
-
-type TFormData = z.infer<typeof formSchema>;
+  useGetIntegrationAuthBitBucketWorkspaces,
+  useGetIntegrationAuthById
+} from "../../../hooks/api/integrationAuth";
+import { useGetWorkspaceById } from "../../../hooks/api/workspace";
 
 export default function BitBucketCreateIntegrationPage() {
   const router = useRouter();
-  const createIntegration = useCreateIntegration();
+  const { mutateAsync } = useCreateIntegration();
 
-  const { watch, control, reset, handleSubmit } = useForm<TFormData>({
-    resolver: zodResolver(formSchema),
-    defaultValues: {
-      secretPath: "/"
-    }
-  });
+  const [targetAppId, setTargetAppId] = useState("");
+  const [targetEnvironmentId, setTargetEnvironmentId] = useState("");
 
-  const bitBucketWorkspace = watch("targetWorkspace");
-  const bitBucketRepo = watch("targetRepo");
+  const [selectedSourceEnvironment, setSelectedSourceEnvironment] = useState("");
+  const [secretPath, setSecretPath] = useState("/");
+  const [isLoading, setIsLoading] = useState(false);
 
-  const integrationAuthId = router.query.integrationAuthId as string;
-
-  const { currentWorkspace, isLoading: isProjectLoading } = useWorkspace();
-
-  const { data: bitbucketWorkspaces, isLoading: isBitbucketWorkspacesLoading } =
-    useGetIntegrationAuthBitBucketWorkspaces((integrationAuthId as string) ?? "");
-
-  const { data: bitbucketRepos, isLoading: isBitbucketReposLoading } = useGetIntegrationAuthApps({
-    integrationAuthId: (integrationAuthId as string) ?? "",
-    workspaceSlug: bitBucketWorkspace?.slug
-  });
-
-  const { data: bitbucketEnvironments } = useGetIntegrationAuthBitBucketEnvironments(
-    {
-      integrationAuthId: (integrationAuthId as string) ?? "",
-      workspaceSlug: bitBucketWorkspace?.slug,
-      repoSlug: bitBucketRepo?.appId
-    },
-    { enabled: Boolean(bitBucketWorkspace?.slug && bitBucketRepo?.appId) }
+  const { integrationAuthId } = queryString.parse(router.asPath.split("?")[1]);
+  const { data: integrationAuth } = useGetIntegrationAuthById((integrationAuthId as string) ?? "");
+  const { data: workspace } = useGetWorkspaceById(localStorage.getItem("projectData.id") ?? "");
+  const { data: targetEnvironments } = useGetIntegrationAuthBitBucketWorkspaces(
+    (integrationAuthId as string) ?? ""
   );
+  const { data: integrationAuthApps } = useGetIntegrationAuthApps({
+    integrationAuthId: (integrationAuthId as string) ?? "",
+    workspaceSlug: targetEnvironmentId
+  });
 
-  const onSubmit = async ({
-    targetRepo,
-    sourceEnvironment,
-    targetWorkspace,
-    secretPath,
-    targetEnvironment,
-    scope
-  }: TFormData) => {
+  useEffect(() => {
+    if (workspace) {
+      setSelectedSourceEnvironment(workspace.environments[0].slug);
+    }
+  }, [workspace]);
+
+  useEffect(() => {
+    if (integrationAuthApps) {
+      if (integrationAuthApps.length > 0) {
+        setTargetAppId(integrationAuthApps[0].appId as string);
+      } else {
+        setTargetAppId("none");
+      }
+    }
+  }, [integrationAuthApps]);
+
+  useEffect(() => {
+    if (targetEnvironments) {
+      if (targetEnvironments.length > 0) {
+        setTargetEnvironmentId(targetEnvironments[0].slug);
+      } else {
+        setTargetEnvironmentId("none");
+      }
+    }
+  }, [targetEnvironments]);
+
+  const handleButtonClick = async () => {
     try {
-      await createIntegration.mutateAsync({
-        integrationAuthId,
+      setIsLoading(true);
+
+      if (!integrationAuth?.id) return;
+
+      const targetApp = integrationAuthApps?.find(
+        (integrationAuthApp) => integrationAuthApp.appId === targetAppId
+      );
+      const targetEnvironment = targetEnvironments?.find(
+        (environment) => environment.slug === targetEnvironmentId
+      );
+
+      if (!targetApp || !targetApp.appId || !targetEnvironment) return;
+
+      await mutateAsync({
+        integrationAuthId: integrationAuth?.id,
         isActive: true,
-        app: targetRepo.name,
-        appId: targetRepo.appId,
-        sourceEnvironment: sourceEnvironment.slug,
-        targetEnvironment: targetWorkspace.name,
-        targetEnvironmentId: targetWorkspace.slug,
-        ...(scope.value === BitbucketScope.Env &&
-          targetEnvironment && {
-            targetService: targetEnvironment.name,
-            targetServiceId: targetEnvironment.uuid
-          }),
+        app: targetApp.name,
+        appId: targetApp.appId,
+        sourceEnvironment: selectedSourceEnvironment,
+        targetEnvironment: targetEnvironment.name,
+        targetEnvironmentId: targetEnvironment.slug,
         secretPath
       });
 
-      createNotification({
-        type: "success",
-        text: "Successfully created integration"
-      });
-      router.push(`/integrations/${currentWorkspace?.id}`);
+      setIsLoading(false);
+
+      router.push(`/integrations/${localStorage.getItem("projectData.id")}`);
     } catch (err) {
-      createNotification({
-        type: "error",
-        text: "Failed to create integration"
-      });
       console.error(err);
     }
   };
 
-  useEffect(() => {
-    if (!bitbucketRepos || !bitbucketWorkspaces || !currentWorkspace) return;
-
-    reset({
-      targetRepo: bitbucketRepos[0],
-      targetWorkspace: bitbucketWorkspaces[0],
-      sourceEnvironment: currentWorkspace.environments[0],
-      secretPath: "/",
-      scope: ScopeOptions[0]
-    });
-  }, [bitbucketWorkspaces, bitbucketRepos, currentWorkspace]);
-
-  if (isProjectLoading || isBitbucketWorkspacesLoading || isBitbucketReposLoading)
-    return (
-      <div className="flex h-full w-full items-center justify-center p-24">
-        <Spinner />
-      </div>
-    );
-
-  const scope = watch("scope");
-
-  return (
-    <form
-      onSubmit={handleSubmit(onSubmit)}
-      className="flex h-full w-full items-center justify-center"
-    >
-      <Card className="max-w-md rounded-md p-8 pt-4">
-        <CardTitle className=" text-center">
-          <SiBitbucket size="1.2rem" className="mr-2 mb-1 inline-block" />
-          Bitbucket Integration
-        </CardTitle>
-        <Controller
-          control={control}
-          name="sourceEnvironment"
-          render={({ field: { value, onChange }, fieldState: { error } }) => (
-            <FormControl
-              errorText={error?.message}
-              isError={Boolean(error)}
-              label="Project Environment"
-            >
-              <FilterableSelect
-                getOptionValue={(option) => option.slug}
-                value={value}
-                getOptionLabel={(option) => option.name}
-                onChange={onChange}
-                options={currentWorkspace?.environments}
-                placeholder="Select a project environment"
-                isDisabled={!bitbucketWorkspaces?.length}
-              />
-            </FormControl>
-          )}
-        />
-        <Controller
-          control={control}
-          name="secretPath"
-          render={({ field: { value, onChange }, fieldState: { error } }) => (
-            <FormControl isError={Boolean(error)} label="Secrets Path">
-              <Input
-                value={value}
-                onChange={onChange}
-                placeholder={'Provide a path (defaults to "/")'}
-              />
-            </FormControl>
-          )}
-        />
-        <Controller
-          control={control}
-          name="targetWorkspace"
-          render={({ field: { value, onChange }, fieldState: { error } }) => (
-            <FormControl
-              errorText={error?.message}
-              isError={Boolean(error)}
-              label="Bitbucket Workspace"
-            >
-              <FilterableSelect
-                getOptionValue={(option) => option.slug}
-                value={value}
-                getOptionLabel={(option) => option.name}
-                onChange={onChange}
-                options={bitbucketWorkspaces}
-                placeholder={
-                  bitbucketWorkspaces?.length ? "Select a workspace..." : "No workspaces found..."
-                }
-                isDisabled={!bitbucketWorkspaces?.length}
-              />
-            </FormControl>
-          )}
-        />
-        <Controller
-          control={control}
-          name="targetRepo"
-          render={({ field: { value, onChange }, fieldState: { error } }) => (
-            <FormControl errorText={error?.message} isError={Boolean(error)} label="Bitbucket Repo">
-              <FilterableSelect
-                getOptionValue={(option) => option.appId!}
-                value={value}
-                getOptionLabel={(option) => option.name}
-                onChange={onChange}
-                options={bitbucketRepos}
-                placeholder={
-                  bitbucketRepos?.length ? "Select a repository..." : "No repositories found..."
-                }
-                isDisabled={!bitbucketRepos?.length}
-              />
-            </FormControl>
-          )}
-        />
-        <Controller
-          control={control}
-          name="scope"
-          render={({ field: { value, onChange }, fieldState: { error } }) => (
-            <FormControl errorText={error?.message} isError={Boolean(error)} label="Scope">
-              <FilterableSelect
-                value={value}
-                getOptionValue={(option) => option.value}
-                getOptionLabel={(option) => option.label}
-                onChange={onChange}
-                options={ScopeOptions}
-              />
-            </FormControl>
-          )}
-        />
-
-        {scope?.value === BitbucketScope.Env && (
-          <Controller
-            control={control}
-            name="targetEnvironment"
-            render={({ field: { value, onChange }, fieldState: { error } }) => (
-              <FormControl
-                errorText={error?.message}
-                isError={Boolean(error)}
-                label="Bitbucket Deployment Environment"
+  return integrationAuth &&
+    workspace &&
+    selectedSourceEnvironment &&
+    integrationAuthApps &&
+    targetEnvironments ? (
+    <div className="flex h-full w-full items-center justify-center">
+      <Card className="max-w-md rounded-md p-8">
+        <CardTitle className="text-center">BitBucket Integration</CardTitle>
+        <FormControl label="Project Environment" className="mt-4">
+          <Select
+            value={selectedSourceEnvironment}
+            onValueChange={(val) => setSelectedSourceEnvironment(val)}
+            className="w-full border border-mineshaft-500"
+          >
+            {workspace?.environments.map((sourceEnvironment) => (
+              <SelectItem
+                value={sourceEnvironment.slug}
+                key={`source-environment-${sourceEnvironment.slug}`}
               >
-                <FilterableSelect
-                  getOptionValue={(option) => option.uuid}
-                  value={value}
-                  getOptionLabel={(option) => option.name}
-                  onChange={onChange}
-                  options={bitbucketEnvironments}
-                  placeholder={
-                    bitbucketEnvironments?.length
-                      ? "Select an environment..."
-                      : "No environments found..."
-                  }
-                  isDisabled={!bitbucketEnvironments?.length}
-                />
-              </FormControl>
-            )}
+                {sourceEnvironment.name}
+              </SelectItem>
+            ))}
+          </Select>
+        </FormControl>
+        <FormControl label="Secrets Path">
+          <Input
+            value={secretPath}
+            onChange={(evt) => setSecretPath(evt.target.value)}
+            placeholder="Provide a path, default is /"
           />
-        )}
+        </FormControl>
+        <FormControl label="BitBucket Workspace">
+          <Select
+            value={targetEnvironmentId}
+            onValueChange={(val) => setTargetEnvironmentId(val)}
+            className="w-full border border-mineshaft-500"
+            isDisabled={targetEnvironments.length === 0}
+          >
+            {targetEnvironments.length > 0 ? (
+              targetEnvironments.map((targetEnvironment) => (
+                <SelectItem
+                  value={targetEnvironment.slug as string}
+                  key={`target-environment-${targetEnvironment.slug as string}`}
+                >
+                  {targetEnvironment.name}
+                </SelectItem>
+              ))
+            ) : (
+              <SelectItem value="none" key="target-environment-none">
+                No workspaces found
+              </SelectItem>
+            )}
+          </Select>
+        </FormControl>
+        <FormControl label="BitBucket Repo">
+          <Select
+            value={targetAppId}
+            onValueChange={(val) => setTargetAppId(val)}
+            className="w-full border border-mineshaft-500"
+          >
+            {integrationAuthApps.length > 0 ? (
+              integrationAuthApps.map((integrationAuthApp) => (
+                <SelectItem
+                  value={integrationAuthApp.appId as string}
+                  key={`target-app-${integrationAuthApp.appId as string}`}
+                >
+                  {integrationAuthApp.name}
+                </SelectItem>
+              ))
+            ) : (
+              <SelectItem value="none" key="target-app-none">
+                No repositories found
+              </SelectItem>
+            )}
+          </Select>
+        </FormControl>
         <Button
-          type="submit"
-          colorSchema="primary"
+          onClick={handleButtonClick}
+          color="mineshaft"
           className="mt-4"
-          isLoading={createIntegration.isLoading}
-          isDisabled={createIntegration.isLoading || !bitbucketRepos?.length}
+          isLoading={isLoading}
+          isDisabled={integrationAuthApps.length === 0}
         >
           Create Integration
         </Button>
       </Card>
-    </form>
+    </div>
+  ) : (
+    <div />
   );
 }
 

frontend/src/pages/org/[id]/overview/index.tsx

@@ -589,7 +589,7 @@ const OrganizationPage = () => {
   );
 
   const { data: projectTemplates = [] } = useListProjectTemplates({
-    enabled: Boolean(canReadProjectTemplates && subscription?.projectTemplates)
+    enabled: canReadProjectTemplates && subscription?.projectTemplates
   });
 
   const isAddingProjectsAllowed = subscription?.workspaceLimit

frontend/src/views/IntegrationsPage/IntegrationDetailsPage/components/IntegrationConnectionSection.tsx

@@ -53,8 +53,6 @@ export const IntegrationConnectionSection = ({ integration }: Props) => {
         case "aws-parameter-store":
         case "rundeck":
           return "Path";
-        case "bitbucket":
-          return "Repository";
         case "github":
           if (["github-env", "github-repo"].includes(integration.scope!)) {
             return "Repository";
@@ -94,18 +92,10 @@ export const IntegrationConnectionSection = ({ integration }: Props) => {
   };
 
   const targetEnvironmentDetails = () => {
-    if (integration.integration === "bitbucket") {
-      return (
-        <div className="flex flex-col">
-          <FormLabel className="text-sm font-semibold text-mineshaft-300" label="Workspace" />
-          <div className="text-sm text-mineshaft-300">
-            {integration.targetEnvironment || integration.targetEnvironmentId}
-          </div>
-        </div>
-      );
-    }
     if (
-      ["vercel", "netlify", "railway", "gitlab", "teamcity"].includes(integration.integration) ||
+      ["vercel", "netlify", "railway", "gitlab", "teamcity", "bitbucket"].includes(
+        integration.integration
+      ) ||
       (integration.integration === "github" && integration.scope === "github-env")
     ) {
       return (
@@ -163,18 +153,6 @@ export const IntegrationConnectionSection = ({ integration }: Props) => {
       );
     }
 
-    if (integration.integration === "bitbucket" && integration.targetServiceId) {
-      return (
-        <div>
-          <FormLabel
-            className="text-sm font-semibold text-mineshaft-300"
-            label="Deployment Environment"
-          />
-          <div className="text-sm text-mineshaft-300">{integration.targetService}</div>
-        </div>
-      );
-    }
-
     return null;
   };
 

frontend/src/views/IntegrationsPage/components/IntegrationsSection/ConfiguredIntegrationItem.tsx

@@ -53,7 +53,7 @@ export const ConfiguredIntegrationItem = ({
             {integration.secretPath}
           </div>
         </div>
-        <div className="mt-3 flex h-full items-center">
+        <div className="flex h-full items-center">
           <FontAwesomeIcon icon={faArrowRight} className="mx-4 text-gray-400" />
         </div>
         <div className="ml-4 flex flex-col">
@@ -107,7 +107,6 @@ export const ConfiguredIntegrationItem = ({
               label={
                 (integration.integration === "qovery" && integration?.scope) ||
                 (integration.integration === "circleci" && "Project") ||
-                (integration.integration === "bitbucket" && "Repository") ||
                 (integration.integration === "aws-secret-manager" && "Secret") ||
                 (["aws-parameter-store", "rundeck"].includes(integration.integration) && "Path") ||
                 (integration?.integration === "terraform-cloud" && "Project") ||
@@ -134,6 +133,7 @@ export const ConfiguredIntegrationItem = ({
           integration.integration === "railway" ||
           integration.integration === "gitlab" ||
           integration.integration === "teamcity" ||
+          integration.integration === "bitbucket" ||
           (integration.integration === "github" && integration.scope === "github-env")) && (
           <div className="ml-4 flex flex-col">
             <FormLabel label="Target Environment" />
@@ -142,24 +142,6 @@ export const ConfiguredIntegrationItem = ({
             </div>
           </div>
         )}
-        {integration.integration === "bitbucket" && (
-          <>
-            {integration.targetServiceId && (
-              <div className="ml-2 flex flex-col">
-                <FormLabel label="Environment" />
-                <div className="min-w-[8rem] overflow-clip text-ellipsis whitespace-nowrap rounded-md border border-mineshaft-700 bg-mineshaft-900 px-3 py-2 font-inter text-sm text-bunker-200">
-                  {integration.targetService || integration.targetServiceId}
-                </div>
-              </div>
-            )}
-            <div className="ml-2 flex flex-col">
-              <FormLabel label="Workspace" />
-              <div className="overflow-clip text-ellipsis whitespace-nowrap rounded-md border border-mineshaft-700 bg-mineshaft-900 px-3 py-2 font-inter text-sm text-bunker-200">
-                {integration.targetEnvironment || integration.targetEnvironmentId}
-              </div>
-            </div>
-          </>
-        )}
         {integration.integration === "checkly" && integration.targetService && (
           <div className="ml-2">
             <FormLabel label="Group" />

frontend/src/views/Project/CertificatesPage/components/CertificatesTab/components/CertificateTemplateEnrollmentModal.tsx

@@ -33,10 +33,9 @@ type Props = {
 
 const schema = z.object({
   method: z.nativeEnum(EnrollmentMethod),
-  caChain: z.string().optional(),
+  caChain: z.string(),
   passphrase: z.string().optional(),
-  isEnabled: z.boolean(),
-  disableBootstrapCertValidation: z.boolean().optional().default(false)
+  isEnabled: z.boolean()
 });
 
 export type FormData = z.infer<typeof schema>;
@@ -54,8 +53,6 @@ export const CertificateTemplateEnrollmentModal = ({ popUp, handlePopUpToggle }:
     handleSubmit,
     reset,
     setError,
-    watch,
-    setValue,
     formState: { isSubmitting }
   } = useForm<FormData>({
     resolver: zodResolver(schema)
@@ -65,26 +62,16 @@ export const CertificateTemplateEnrollmentModal = ({ popUp, handlePopUpToggle }:
   const { mutateAsync: updateEstConfig } = useUpdateEstConfig();
   const [isPassphraseFocused, setIsPassphraseFocused] = useToggle(false);
 
-  const disableBootstrapCertValidation = watch("disableBootstrapCertValidation");
-
-  useEffect(() => {
-    if (disableBootstrapCertValidation) {
-      setValue("caChain", "");
-    }
-  }, [disableBootstrapCertValidation]);
-
   useEffect(() => {
     if (data) {
       reset({
         caChain: data.caChain,
-        isEnabled: data.isEnabled,
-        disableBootstrapCertValidation: data.disableBootstrapCertValidation
+        isEnabled: data.isEnabled
       });
     } else {
       reset({
         caChain: "",
-        isEnabled: false,
-        disableBootstrapCertValidation: false
+        isEnabled: false
       });
     }
   }, [data]);
@@ -96,8 +83,7 @@ export const CertificateTemplateEnrollmentModal = ({ popUp, handlePopUpToggle }:
           certificateTemplateId,
           caChain,
           passphrase,
-          isEnabled,
-          disableBootstrapCertValidation
+          isEnabled
         });
       } else {
         if (!passphrase) {
@@ -109,8 +95,7 @@ export const CertificateTemplateEnrollmentModal = ({ popUp, handlePopUpToggle }:
           certificateTemplateId,
           caChain,
           passphrase,
-          isEnabled,
-          disableBootstrapCertValidation
+          isEnabled
         });
       }
 
@@ -167,43 +152,22 @@ export const CertificateTemplateEnrollmentModal = ({ popUp, handlePopUpToggle }:
           )}
           <Controller
             control={control}
-            name="disableBootstrapCertValidation"
-            render={({ field, fieldState: { error } }) => {
-              return (
-                <FormControl isError={Boolean(error)} errorText={error?.message}>
-                  <Switch
-                    id="skip-bootstrap-cert-validation"
-                    onCheckedChange={(value) => field.onChange(value)}
-                    isChecked={field.value}
-                  >
-                    <p className="ml-1 w-full">Disable Bootstrap Certificate Validation</p>
-                  </Switch>
-                </FormControl>
-              );
-            }}
+            name="caChain"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Certificate Authority Chain"
+                isError={Boolean(error)}
+                errorText={error?.message}
+                isRequired
+              >
+                <TextArea
+                  {...field}
+                  className="min-h-[15rem] border-none bg-mineshaft-900 text-gray-400"
+                  reSize="none"
+                />
+              </FormControl>
+            )}
           />
-          {!disableBootstrapCertValidation && (
-            <Controller
-              control={control}
-              name="caChain"
-              disabled={disableBootstrapCertValidation}
-              render={({ field, fieldState: { error } }) => (
-                <FormControl
-                  label="Certificate Authority Chain"
-                  isError={Boolean(error)}
-                  errorText={error?.message}
-                  isRequired={!disableBootstrapCertValidation}
-                >
-                  <TextArea
-                    {...field}
-                    isDisabled={disableBootstrapCertValidation}
-                    className="min-h-[15rem] border-none bg-mineshaft-900 text-gray-400"
-                    reSize="none"
-                  />
-                </FormControl>
-              )}
-            />
-          )}
           <Controller
             control={control}
             name="passphrase"

frontend/src/views/Project/MembersPage/components/MembersTab/components/AddMemberModal.tsx

@@ -15,10 +15,10 @@ import {
   DropdownMenuContent,
   DropdownMenuItem,
   DropdownMenuTrigger,
-  FilterableSelect,
   FormControl,
   Modal,
-  ModalContent
+  ModalContent,
+  MultiSelect
 } from "@app/components/v2";
 import { useOrganization, useWorkspace } from "@app/context";
 import {
@@ -153,7 +153,7 @@ export const AddMemberModal = ({ popUp, handlePopUpToggle }: Props) => {
                     errorText={errors.orgMemberships?.[0]?.message}
                     label="Invite users to project"
                   >
-                    <FilterableSelect
+                    <MultiSelect
                       className="w-full"
                       placeholder="Add one or more users..."
                       isMulti

frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -6,7 +6,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 
 import { createNotification } from "@app/components/notifications";
-import { Button, FilterableSelect, FormControl, Input } from "@app/components/v2";
+import { Button, FormControl, Input, MultiSelect } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { ProjectPermissionActions, ProjectPermissionSub, useProjectPermission } from "@app/context";
 import { getKeyValue } from "@app/helpers/parseEnvVar";
@@ -148,7 +148,7 @@ export const CreateSecretForm = ({
               )
             }
           >
-            <FilterableSelect
+            <MultiSelect
               className="w-full"
               placeholder="Select tags to assign to secret..."
               isMulti

frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -10,10 +10,10 @@ import { createNotification } from "@app/components/notifications";
 import {
   Button,
   Checkbox,
-  FilterableSelect,
   FormControl,
   FormLabel,
   Input,
+  MultiSelect,
   Tooltip
 } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
@@ -249,7 +249,7 @@ export const CreateSecretForm = ({ secretPath = "/", getSecretByKey, onClose }:
               )
             }
           >
-            <FilterableSelect
+            <MultiSelect
               className="w-full"
               placeholder="Select tags to assign to secrets..."
               isMulti

frontend/src/views/admin/DashboardPage/DashboardPage.tsx

@@ -22,15 +22,21 @@ import {
   Tabs
 } from "@app/components/v2";
 import { useOrganization, useServerConfig, useUser } from "@app/context";
-import { useGetOrganizations, useUpdateServerConfig } from "@app/hooks/api";
+import {
+  useGetOrganizations,
+  useGetServerRootKmsEncryptionDetails,
+  useUpdateServerConfig
+} from "@app/hooks/api";
 
 import { AuthPanel } from "./AuthPanel";
+import { EncryptionPanel } from "./EncryptionPanel";
 import { IntegrationPanel } from "./IntegrationPanel";
 import { RateLimitPanel } from "./RateLimitPanel";
 import { UserPanel } from "./UserPanel";
 
 enum TabSections {
   Settings = "settings",
+  Encryption = "encryption",
   Auth = "auth",
   RateLimit = "rate-limit",
   Integrations = "integrations",
@@ -55,6 +61,7 @@ type TDashboardForm = z.infer<typeof formSchema>;
 export const AdminDashboardPage = () => {
   const router = useRouter();
   const data = useServerConfig();
+  const { data: serverRootKmsDetails } = useGetServerRootKmsEncryptionDetails();
   const { config } = data;
 
   const {
@@ -137,6 +144,7 @@ export const AdminDashboardPage = () => {
             <TabList>
               <div className="flex w-full flex-row border-b border-mineshaft-600">
                 <Tab value={TabSections.Settings}>General</Tab>
+                <Tab value={TabSections.Encryption}>Encryption</Tab>
                 <Tab value={TabSections.Auth}>Authentication</Tab>
                 <Tab value={TabSections.RateLimit}>Rate Limit</Tab>
                 <Tab value={TabSections.Integrations}>Integrations</Tab>
@@ -321,6 +329,9 @@ export const AdminDashboardPage = () => {
                 </Button>
               </form>
             </TabPanel>
+            <TabPanel value={TabSections.Encryption}>
+              <EncryptionPanel rootKmsDetails={serverRootKmsDetails} />
+            </TabPanel>
             <TabPanel value={TabSections.Auth}>
               <AuthPanel />
             </TabPanel>

frontend/src/views/admin/DashboardPage/EncryptionPanel.tsx

@@ -0,0 +1,137 @@
+import { useCallback } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, Select, SelectItem, UpgradePlanModal } from "@app/components/v2";
+import { useSubscription } from "@app/context";
+import { usePopUp } from "@app/hooks";
+import { useUpdateServerEncryptionStrategy } from "@app/hooks/api";
+import {
+  RootKeyEncryptionStrategy,
+  TGetServerRootKmsEncryptionDetails
+} from "@app/hooks/api/admin/types";
+
+const formSchema = z.object({
+  encryptionStrategy: z.nativeEnum(RootKeyEncryptionStrategy)
+});
+
+const strategies: Record<RootKeyEncryptionStrategy, string> = {
+  [RootKeyEncryptionStrategy.Software]: "Software-based Encryption",
+  [RootKeyEncryptionStrategy.HSM]: "Hardware Security Module (HSM)"
+};
+
+type TForm = z.infer<typeof formSchema>;
+
+type Props = {
+  rootKmsDetails?: TGetServerRootKmsEncryptionDetails;
+};
+
+export const EncryptionPanel = ({ rootKmsDetails }: Props) => {
+  const { mutateAsync: updateEncryptionStrategy } = useUpdateServerEncryptionStrategy();
+  const { subscription } = useSubscription();
+
+  const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["upgradePlan"] as const);
+
+  const {
+    control,
+    handleSubmit,
+    formState: { isSubmitting, isDirty }
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      encryptionStrategy:
+        rootKmsDetails?.strategies?.find((s) => s.enabled)?.strategy ??
+        RootKeyEncryptionStrategy.Software
+    }
+  });
+
+  const onSubmit = useCallback(async (formData: TForm) => {
+    if (!subscription) return;
+
+    if (!subscription.hsm) {
+      handlePopUpOpen("upgradePlan", {
+        description: "Hardware Security Module's (HSM's), are only available on Enterprise plans."
+      });
+      return;
+    }
+
+    try {
+      await updateEncryptionStrategy(formData.encryptionStrategy);
+
+      createNotification({
+        type: "success",
+        text: "Encryption strategy updated successfully"
+      });
+    } catch {
+      createNotification({
+        type: "error",
+        text: "Failed to update encryption strategy"
+      });
+    }
+  }, []);
+
+  return (
+    <>
+      <form
+        className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+        onSubmit={handleSubmit(onSubmit)}
+      >
+        <div className="flex flex-col justify-start">
+          <div className="flex w-full justify-between">
+            <div className="mb-2 text-xl font-semibold text-mineshaft-100">
+              KMS Encryption Strategy
+            </div>
+          </div>
+          <div className="mb-4 max-w-sm text-sm text-mineshaft-400">
+            Select which type of encryption strategy you want to use for your KMS root key. HSM is
+            supported on Enterprise plans.
+          </div>
+
+          {!!rootKmsDetails && (
+            <Controller
+              control={control}
+              name="encryptionStrategy"
+              render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                <FormControl
+                  className="max-w-sm"
+                  errorText={error?.message}
+                  isError={Boolean(error)}
+                >
+                  <Select
+                    className="w-full bg-mineshaft-700"
+                    dropdownContainerClassName="bg-mineshaft-800"
+                    defaultValue={field.value}
+                    onValueChange={(e) => onChange(e)}
+                    {...field}
+                  >
+                    {rootKmsDetails.strategies?.map((strategy) => (
+                      <SelectItem key={strategy.strategy} value={strategy.strategy}>
+                        {strategies[strategy.strategy]}
+                      </SelectItem>
+                    ))}
+                  </Select>
+                </FormControl>
+              )}
+            />
+          )}
+        </div>
+
+        <Button
+          className="mt-2"
+          type="submit"
+          isLoading={isSubmitting}
+          isDisabled={isSubmitting || !isDirty}
+        >
+          Save
+        </Button>
+      </form>
+      <UpgradePlanModal
+        isOpen={popUp.upgradePlan.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+        text={(popUp.upgradePlan?.data as { description: string })?.description}
+      />
+    </>
+  );
+};

package-lock.json

@@ -7,7 +7,8 @@
 			"name": "infisical",
 			"license": "ISC",
 			"dependencies": {
-				"@radix-ui/react-radio-group": "^1.1.3"
+				"@radix-ui/react-radio-group": "^1.1.3",
+				"secrets.js-grempe": "^2.0.0"
 			},
 			"devDependencies": {
 				"@types/uuid": "^9.0.7",
@@ -1392,6 +1393,12 @@
 				"loose-envify": "^1.1.0"
 			}
 		},
+		"node_modules/secrets.js-grempe": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/secrets.js-grempe/-/secrets.js-grempe-2.0.0.tgz",
+			"integrity": "sha512-4xkOIaDAg998dTFXZUJTOoVbdLHfB818SMeLJ69ABccgGEKokxsoRFupAFfAImloUSKv4QUGNMgKVbKMf6z0Ug==",
+			"license": "MIT"
+		},
 		"node_modules/shebang-command": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -2457,6 +2464,11 @@
 				"loose-envify": "^1.1.0"
 			}
 		},
+		"secrets.js-grempe": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/secrets.js-grempe/-/secrets.js-grempe-2.0.0.tgz",
+			"integrity": "sha512-4xkOIaDAg998dTFXZUJTOoVbdLHfB818SMeLJ69ABccgGEKokxsoRFupAFfAImloUSKv4QUGNMgKVbKMf6z0Ug=="
+		},
 		"shebang-command": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",

package.json

@@ -24,6 +24,7 @@
 		"husky": "^8.0.3"
 	},
 	"dependencies": {
-		"@radix-ui/react-radio-group": "^1.1.3"
+		"@radix-ui/react-radio-group": "^1.1.3",
+		"secrets.js-grempe": "^2.0.0"
 	}
 }