Merge pull request #612 from Infisical/migration-script

Add migration script for server key re-encryption

backend/src/utils/setup/index.ts

@@ -59,8 +59,8 @@ export const setup = async () => {
     
     // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
     // to base64 256-bit ROOT_ENCRYPTION_KEY
-    await reencryptBotPrivateKeys();
-    await reencryptSecretBlindIndexDataSalts();
+    // await reencryptBotPrivateKeys();
+    // await reencryptSecretBlindIndexDataSalts();
 
     // initializing Sentry
     Sentry.init({

cli/packages/util/vault.go

@@ -33,7 +33,7 @@ func GetKeyRing() (keyring.Keyring, error) {
 		LibSecretCollectionName:        KEYRING_SERVICE_NAME,
 		KWalletAppID:                   KEYRING_SERVICE_NAME,
 		KWalletFolder:                  KEYRING_SERVICE_NAME,
-		KeychainName:                   "infisical", // default so user will not be prompted
+		KeychainName:                   "login", // default so user will not be prompted
 		KeychainTrustApplication:       true,
 		WinCredPrefix:                  KEYRING_SERVICE_NAME,
 		FileDir:                        fmt.Sprintf("~/%s-file-vault", KEYRING_SERVICE_NAME),

docs/self-hosting/deployment-options/aws-ec2.mdx

@@ -12,6 +12,10 @@ This deployment option will use AWS Cloudformation to auto deploy an instance of
 - 1 DocumentDB instance 
 - Security groups
 
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>
+
 <a href="https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://ec2-instance-cloudformation.s3.amazonaws.com/infisical-ec2-deployment.template&stackName=infisical">
     <img width="200" src="../../images/deploy-aws-button.png" />
 </a>

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -37,7 +37,7 @@ nano .env
   Infisical assumes that you have configured HTTPS. If you didn't configure HTTPS, set `HTTPS_ENABLED` to `false` in the .env file to avoid frequent logouts.
 </Info>
 
-## Get the service up and running.
+## Get the service up and running
 
 ```bash
 # Start up services in detached mode
@@ -45,3 +45,7 @@ docker-compose -f docker-compose.yml up -d
 ```
 
 Your Infisical installation is complete and should be running on [http://localhost:80](http://localhost:80). Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to configure a firewall, SSL certificates, and implement any additional security measures.
+
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>

docs/self-hosting/deployment-options/fly.io.mdx

@@ -58,3 +58,6 @@ Once done, your very own instance of Infisical should be up and running on Fly.i
 
 Please note that this version of Infisical requires at least 250MB of memory to operate smoothly.
 
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -213,4 +213,7 @@ helm install infisical-helm-charts/infisical --generate-name --values /path/to/v
 
 ## Access Infisical
 Allow 3-5 minutes for the deployment to complete. Once done, you should now be able to access Infisical on the IP address exposed via Ingress on your load balancer. If you are not sure what the IP address is run `kubectl get ingress` to view the external IP address exposing Infisical.
-  
+  
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>

docs/self-hosting/deployment-options/render.mdx

@@ -12,4 +12,10 @@ Before you start deployment, you will need to obtain document db connection stri
 
 You can create a document db database using services such as [MongoDB](https://www.mongodb.com/), [AWS DocumentDB](https://aws.amazon.com/documentdb/), and others. Once done, click the link below to start deployment.
 
-### **[Deploy to Render](https://render.com/deploy?repo=https://github.com/Infisical/infisical)**
+### **[Deploy to Render](https://render.com/deploy?repo=https://github.com/Infisical/infisical)**
+
+#
+
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>

docs/self-hosting/deployment-options/standalone-infisical.mdx

@@ -17,9 +17,9 @@ Open your terminal or command prompt and enter the following command to pull the
 docker pull infisical/infisical:latest
 ```
 
-## Create a .env file
-The Infisical Docker image requires a .env file to manage environment variables. 
-Create a new file called .env in your preferred location. Add the required environment variables listed below. View [all configurable environment variables](../configuration/envars)
+## Run with docker 
+The Infisical Docker image requires several required environment variables. 
+Add the required environment variables listed below to your docker run command. View [all configurable environment variables](../configuration/envars)
 
 
 <ParamField query="ENCRYPTION_KEY" type="string" default="none" required>
@@ -51,28 +51,26 @@ Create a new file called .env in your preferred location. Add the required envir
 </ParamField>
 
 
-```env .example-env
-ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a 
-JWT_SIGNUP_SECRET=38ea90fb7998b92176080f457d890392 
-JWT_REFRESH_SECRET=7764c7bbf3928ad501591a3e005eb364
-JWT_AUTH_SECRET=5239fea3a4720c0e524f814a540e14a2
-JWT_SERVICE_SECRET=8509fb8b90c9b53e9e61d1e35826dcb5 
-MONGO_URL=<>
+Once you have added the required environment variables to your docker run command, execute it in your terminal.
+
+```bash
+docker run -p 80:80  \
+-e ENCRYPTION_KEY=f40c9178624764ad85a6830b37ce239a \
+-e JWT_SIGNUP_SECRET=38ea90fb7998b92176080f457d890392 \
+-e JWT_REFRESH_SECRET=7764c7bbf3928ad501591a3e005eb364 \
+-e JWT_AUTH_SECRET=5239fea3a4720c0e524f814a540e14a2 \
+-e JWT_SERVICE_SECRET=8509fb8b90c9b53e9e61d1e35826dcb5  \
+-e MONGO_URL="<>" \
+infisical/infisical:latest
 ```
 
 <Warning>
   The sample environment variables listed above are only to be used as an example and should not be used in production 
 </Warning>
 
-## Run the Infisical Docker container:
-
-In the terminal or command prompt, navigate to the directory containing the .env file you created. Run the following command to start the Infisical Docker container:
-
-```
-docker run --name infisical-app --env-file ./.env -p 80:80 infisical/infisical:latest
-```
-
-This command will create a new container named infisical-app using the Infisical Docker image. It will also load the environment variables from the .env file and map the container's port 80 to the host's port 80.
-
 ## Verify the installation:
-Once the container is running, open a web browser and navigate to http://localhost:80. That's it! You have successfully installed the Infisical application using a single Docker image.
+Once the container is running, open a web browser and navigate to http://localhost:80. That's it! You have successfully installed the Infisical application using a single Docker image.
+
+<Info>
+Once installation is complete, you will have to create the first account. No default account is provided.
+</Info>

migration/.eslintrc.js

@@ -0,0 +1,8 @@
+module.exports = {
+    "parserOptions": {
+      "ecmaVersion": 2017
+    },
+    "env": {
+      "es6": true
+    }
+  }

migration/README.md

@@ -0,0 +1,3 @@
+As Infisical's codebase matures, there are structural things that we need to change.
+
+This folder houses various migration scripts that can be used to upgrade self-hosted installations of Infisical to be compatible with newer versions.

migration/models/bot.js

@@ -0,0 +1,61 @@
+var mongoose = require('mongoose');
+
+var botSchema = new mongoose.Schema(
+	{
+        name: {
+            type: String,
+            required: true
+        },
+        workspace: {
+            type: mongoose.Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        isActive: {
+            type: Boolean,
+            required: true,
+            default: false
+        },
+        publicKey: {
+            type: String,
+            required: true
+        },
+        encryptedPrivateKey: {
+            type: String,
+            required: true,
+            select: false
+        },
+        iv: {
+            type: String,
+            required: true,
+            select: false
+        },
+        tag: {
+            type: String,
+            required: true,
+            select: false
+        },
+        algorithm: { // the encryption algorithm used
+            type: String,
+            enum: ['aes-256-gcm'],
+            required: true,
+            select: false
+        },
+        keyEncoding: {
+            type: String,
+            enum: [
+                'utf8',
+                'base64'
+            ],
+            required: true,
+            select: false
+        }
+	},
+	{
+		timestamps: true
+	}
+);
+
+var Bot = mongoose.model('Bot', botSchema);
+
+module.exports = Bot;

migration/models/secretBlindIndexData.js

@@ -0,0 +1,43 @@
+var mongoose = require('mongoose');
+
+var secretBlindIndexDataSchema = new mongoose.Schema(
+    {
+        workspace: {
+            type: mongoose.Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        encryptedSaltCiphertext:{
+            type: String,
+            required: true
+        },
+        saltIV: {
+            type: String,
+            required: true
+        },
+        saltTag: {
+            type: String,
+            required: true
+        },
+        algorithm: {
+            type: String,
+            enum: ['aes-256-gcm'],
+            required: true,
+            select: false
+        },
+        keyEncoding: {
+            type: String,
+            enum: [
+                'utf8',
+                'base64'
+            ],
+            required: true,
+            select: false
+        }
+
+    }
+);
+
+var SecretBlindIndexData = mongoose.model('SecretBlindIndexData', secretBlindIndexDataSchema);
+
+module.exports = SecretBlindIndexData;

migration/models/user.js

@@ -0,0 +1,83 @@
+var mongoose = require('mongoose');
+
+var userSchema = new mongoose.Schema(
+	{
+		email: {
+			type: String,
+			required: true
+		},
+		firstName: {
+			type: String
+		},
+		lastName: {
+			type: String
+		},
+		encryptionVersion: {
+			type: Number,
+			select: false,
+			default: 1 // to resolve backward-compatibility issues
+		},
+		protectedKey: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyIV: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyTag: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		publicKey: {
+			type: String,
+			select: false
+		},
+		encryptedPrivateKey: {
+			type: String,
+			select: false
+		},
+		iv: { // iv of [encryptedPrivateKey]
+			type: String,
+			select: false
+		},
+		tag: { // tag of [encryptedPrivateKey]
+			type: String,
+			select: false
+		},
+		salt: {
+			type: String,
+			select: false
+		},
+		verifier: {
+			type: String,
+			select: false
+		},
+		refreshVersion: {
+			type: Number,
+			default: 0,
+			select: false
+		},
+		isMfaEnabled: {
+			type: Boolean,
+			default: false
+		},
+		mfaMethods: [{
+			type: String
+		}],
+		devices: {
+			type: [{
+				ip: String,
+				userAgent: String
+			}],
+			default: []
+		}
+	}, 
+	{
+		timestamps: true
+	}
+);
+
+var User = mongoose.model('User', userSchema);
+
+module.exports = User;

migration/package-lock.json

@@ -0,0 +1,443 @@
+{
+  "name": "migration",
+  "version": "1.0.0",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "migration",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "dotenv": "^16.0.3",
+        "mongoose": "^7.2.1"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "20.2.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.2.5.tgz",
+      "integrity": "sha512-JJulVEQXmiY9Px5axXHeYGLSjhkZEnD+MDPDGbCbIAbMslkKwmygtZFy1X6s/075Yo94sf8GuSlFfPzysQrWZQ=="
+    },
+    "node_modules/@types/webidl-conversions": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@types/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
+      "integrity": "sha512-xTE1E+YF4aWPJJeUzaZI5DRntlkY3+BCVJi0axFptnjGmAoWxkyREIh/XMrfxVLejwQxMCfDXdICo0VLxThrog=="
+    },
+    "node_modules/@types/whatwg-url": {
+      "version": "8.2.2",
+      "resolved": "https://registry.npmjs.org/@types/whatwg-url/-/whatwg-url-8.2.2.tgz",
+      "integrity": "sha512-FtQu10RWgn3D9U4aazdwIE2yzphmTJREDqNdODHrbrZmmMqI0vMheC/6NE/J1Yveaj8H+ela+YwWTjq5PGmuhA==",
+      "dependencies": {
+        "@types/node": "*",
+        "@types/webidl-conversions": "*"
+      }
+    },
+    "node_modules/bson": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/bson/-/bson-5.3.0.tgz",
+      "integrity": "sha512-ukmCZMneMlaC5ebPHXIkP8YJzNl5DC41N5MAIvKDqLggdao342t4McltoJBQfQya/nHBWAcSsYRqlXPoQkTJag==",
+      "engines": {
+        "node": ">=14.20.1"
+      }
+    },
+    "node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/debug/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/dotenv": {
+      "version": "16.0.3",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.0.3.tgz",
+      "integrity": "sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/ip": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz",
+      "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ=="
+    },
+    "node_modules/kareem": {
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.5.1.tgz",
+      "integrity": "sha512-7jFxRVm+jD+rkq3kY0iZDJfsO2/t4BBPeEb2qKn2lR/9KhuksYk5hxzfRYWMPV8P/x2d0kHD306YyWLzjjH+uA==",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/memory-pager": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/memory-pager/-/memory-pager-1.5.0.tgz",
+      "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg==",
+      "optional": true
+    },
+    "node_modules/mongodb": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-5.5.0.tgz",
+      "integrity": "sha512-XgrkUgAAdfnZKQfk5AsYL8j7O99WHd4YXPxYxnh8dZxD+ekYWFRA3JktUsBnfg+455Smf75/+asoU/YLwNGoQQ==",
+      "dependencies": {
+        "bson": "^5.3.0",
+        "mongodb-connection-string-url": "^2.6.0",
+        "socks": "^2.7.1"
+      },
+      "engines": {
+        "node": ">=14.20.1"
+      },
+      "optionalDependencies": {
+        "saslprep": "^1.0.3"
+      },
+      "peerDependencies": {
+        "@aws-sdk/credential-providers": "^3.201.0",
+        "mongodb-client-encryption": ">=2.3.0 <3",
+        "snappy": "^7.2.2"
+      },
+      "peerDependenciesMeta": {
+        "@aws-sdk/credential-providers": {
+          "optional": true
+        },
+        "mongodb-client-encryption": {
+          "optional": true
+        },
+        "snappy": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/mongodb-connection-string-url": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/mongodb-connection-string-url/-/mongodb-connection-string-url-2.6.0.tgz",
+      "integrity": "sha512-WvTZlI9ab0QYtTYnuMLgobULWhokRjtC7db9LtcVfJ+Hsnyr5eo6ZtNAt3Ly24XZScGMelOcGtm7lSn0332tPQ==",
+      "dependencies": {
+        "@types/whatwg-url": "^8.2.1",
+        "whatwg-url": "^11.0.0"
+      }
+    },
+    "node_modules/mongoose": {
+      "version": "7.2.1",
+      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-7.2.1.tgz",
+      "integrity": "sha512-c2OOl+ch9NlmPeJw7UjSb2jHNjoOw1XXHyzwygIf4z1GmaBx1OYb8OYqHkYPivvEmfY/vUWZFCgePsDqZgFn2w==",
+      "dependencies": {
+        "bson": "^5.3.0",
+        "kareem": "2.5.1",
+        "mongodb": "5.5.0",
+        "mpath": "0.9.0",
+        "mquery": "5.0.0",
+        "ms": "2.1.3",
+        "sift": "16.0.1"
+      },
+      "engines": {
+        "node": ">=14.20.1"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/mongoose"
+      }
+    },
+    "node_modules/mpath": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.9.0.tgz",
+      "integrity": "sha512-ikJRQTk8hw5DEoFVxHG1Gn9T/xcjtdnOKIU1JTmGjZZlg9LST2mBLmcX3/ICIbgJydT2GOc15RnNy5mHmzfSew==",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/mquery": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/mquery/-/mquery-5.0.0.tgz",
+      "integrity": "sha512-iQMncpmEK8R8ncT8HJGsGc9Dsp8xcgYMVSbs5jgnm1lFHTZqMJTUWTDx1LBO8+mK3tPNZWFLBghQEIOULSTHZg==",
+      "dependencies": {
+        "debug": "4.x"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "node_modules/punycode": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz",
+      "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/saslprep": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/saslprep/-/saslprep-1.0.3.tgz",
+      "integrity": "sha512-/MY/PEMbk2SuY5sScONwhUDsV2p77Znkb/q3nSVstq/yQzYJOH/Azh29p9oJLsl3LnQwSvZDKagDGBsBwSooag==",
+      "optional": true,
+      "dependencies": {
+        "sparse-bitfield": "^3.0.3"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/sift": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.1.tgz",
+      "integrity": "sha512-Wv6BjQ5zbhW7VFefWusVP33T/EM0vYikCaQ2qR8yULbsilAT8/wQaXvuQ3ptGLpoKx+lihJE3y2UTgKDyyNHZQ=="
+    },
+    "node_modules/smart-buffer": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
+      "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
+      "engines": {
+        "node": ">= 6.0.0",
+        "npm": ">= 3.0.0"
+      }
+    },
+    "node_modules/socks": {
+      "version": "2.7.1",
+      "resolved": "https://registry.npmjs.org/socks/-/socks-2.7.1.tgz",
+      "integrity": "sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==",
+      "dependencies": {
+        "ip": "^2.0.0",
+        "smart-buffer": "^4.2.0"
+      },
+      "engines": {
+        "node": ">= 10.13.0",
+        "npm": ">= 3.0.0"
+      }
+    },
+    "node_modules/sparse-bitfield": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/sparse-bitfield/-/sparse-bitfield-3.0.3.tgz",
+      "integrity": "sha512-kvzhi7vqKTfkh0PZU+2D2PIllw2ymqJKujUcyPMd9Y75Nv4nPbGJZXNhxsgdQab2BmlDct1YnfQCguEvHr7VsQ==",
+      "optional": true,
+      "dependencies": {
+        "memory-pager": "^1.0.2"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-3.0.0.tgz",
+      "integrity": "sha512-l7FvfAHlcmulp8kr+flpQZmVwtu7nfRV7NZujtN0OqES8EL4O4e0qqzL0DC5gAvx/ZC/9lk6rhcUwYvkBnBnYA==",
+      "dependencies": {
+        "punycode": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
+      "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/whatwg-url": {
+      "version": "11.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-11.0.0.tgz",
+      "integrity": "sha512-RKT8HExMpoYx4igMiVMY83lN6UeITKJlBQ+vR/8ZJ8OCdSiN3RwCq+9gH0+Xzj0+5IrM6i4j/6LuvzbZIQgEcQ==",
+      "dependencies": {
+        "tr46": "^3.0.0",
+        "webidl-conversions": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    }
+  },
+  "dependencies": {
+    "@types/node": {
+      "version": "20.2.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.2.5.tgz",
+      "integrity": "sha512-JJulVEQXmiY9Px5axXHeYGLSjhkZEnD+MDPDGbCbIAbMslkKwmygtZFy1X6s/075Yo94sf8GuSlFfPzysQrWZQ=="
+    },
+    "@types/webidl-conversions": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/@types/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
+      "integrity": "sha512-xTE1E+YF4aWPJJeUzaZI5DRntlkY3+BCVJi0axFptnjGmAoWxkyREIh/XMrfxVLejwQxMCfDXdICo0VLxThrog=="
+    },
+    "@types/whatwg-url": {
+      "version": "8.2.2",
+      "resolved": "https://registry.npmjs.org/@types/whatwg-url/-/whatwg-url-8.2.2.tgz",
+      "integrity": "sha512-FtQu10RWgn3D9U4aazdwIE2yzphmTJREDqNdODHrbrZmmMqI0vMheC/6NE/J1Yveaj8H+ela+YwWTjq5PGmuhA==",
+      "requires": {
+        "@types/node": "*",
+        "@types/webidl-conversions": "*"
+      }
+    },
+    "bson": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/bson/-/bson-5.3.0.tgz",
+      "integrity": "sha512-ukmCZMneMlaC5ebPHXIkP8YJzNl5DC41N5MAIvKDqLggdao342t4McltoJBQfQya/nHBWAcSsYRqlXPoQkTJag=="
+    },
+    "debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "requires": {
+        "ms": "2.1.2"
+      },
+      "dependencies": {
+        "ms": {
+          "version": "2.1.2",
+          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+          "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+        }
+      }
+    },
+    "dotenv": {
+      "version": "16.0.3",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.0.3.tgz",
+      "integrity": "sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ=="
+    },
+    "ip": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz",
+      "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ=="
+    },
+    "kareem": {
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.5.1.tgz",
+      "integrity": "sha512-7jFxRVm+jD+rkq3kY0iZDJfsO2/t4BBPeEb2qKn2lR/9KhuksYk5hxzfRYWMPV8P/x2d0kHD306YyWLzjjH+uA=="
+    },
+    "memory-pager": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/memory-pager/-/memory-pager-1.5.0.tgz",
+      "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg==",
+      "optional": true
+    },
+    "mongodb": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-5.5.0.tgz",
+      "integrity": "sha512-XgrkUgAAdfnZKQfk5AsYL8j7O99WHd4YXPxYxnh8dZxD+ekYWFRA3JktUsBnfg+455Smf75/+asoU/YLwNGoQQ==",
+      "requires": {
+        "bson": "^5.3.0",
+        "mongodb-connection-string-url": "^2.6.0",
+        "saslprep": "^1.0.3",
+        "socks": "^2.7.1"
+      }
+    },
+    "mongodb-connection-string-url": {
+      "version": "2.6.0",
+      "resolved": "https://registry.npmjs.org/mongodb-connection-string-url/-/mongodb-connection-string-url-2.6.0.tgz",
+      "integrity": "sha512-WvTZlI9ab0QYtTYnuMLgobULWhokRjtC7db9LtcVfJ+Hsnyr5eo6ZtNAt3Ly24XZScGMelOcGtm7lSn0332tPQ==",
+      "requires": {
+        "@types/whatwg-url": "^8.2.1",
+        "whatwg-url": "^11.0.0"
+      }
+    },
+    "mongoose": {
+      "version": "7.2.1",
+      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-7.2.1.tgz",
+      "integrity": "sha512-c2OOl+ch9NlmPeJw7UjSb2jHNjoOw1XXHyzwygIf4z1GmaBx1OYb8OYqHkYPivvEmfY/vUWZFCgePsDqZgFn2w==",
+      "requires": {
+        "bson": "^5.3.0",
+        "kareem": "2.5.1",
+        "mongodb": "5.5.0",
+        "mpath": "0.9.0",
+        "mquery": "5.0.0",
+        "ms": "2.1.3",
+        "sift": "16.0.1"
+      }
+    },
+    "mpath": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.9.0.tgz",
+      "integrity": "sha512-ikJRQTk8hw5DEoFVxHG1Gn9T/xcjtdnOKIU1JTmGjZZlg9LST2mBLmcX3/ICIbgJydT2GOc15RnNy5mHmzfSew=="
+    },
+    "mquery": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/mquery/-/mquery-5.0.0.tgz",
+      "integrity": "sha512-iQMncpmEK8R8ncT8HJGsGc9Dsp8xcgYMVSbs5jgnm1lFHTZqMJTUWTDx1LBO8+mK3tPNZWFLBghQEIOULSTHZg==",
+      "requires": {
+        "debug": "4.x"
+      }
+    },
+    "ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "punycode": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz",
+      "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA=="
+    },
+    "saslprep": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/saslprep/-/saslprep-1.0.3.tgz",
+      "integrity": "sha512-/MY/PEMbk2SuY5sScONwhUDsV2p77Znkb/q3nSVstq/yQzYJOH/Azh29p9oJLsl3LnQwSvZDKagDGBsBwSooag==",
+      "optional": true,
+      "requires": {
+        "sparse-bitfield": "^3.0.3"
+      }
+    },
+    "sift": {
+      "version": "16.0.1",
+      "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.1.tgz",
+      "integrity": "sha512-Wv6BjQ5zbhW7VFefWusVP33T/EM0vYikCaQ2qR8yULbsilAT8/wQaXvuQ3ptGLpoKx+lihJE3y2UTgKDyyNHZQ=="
+    },
+    "smart-buffer": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
+      "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg=="
+    },
+    "socks": {
+      "version": "2.7.1",
+      "resolved": "https://registry.npmjs.org/socks/-/socks-2.7.1.tgz",
+      "integrity": "sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==",
+      "requires": {
+        "ip": "^2.0.0",
+        "smart-buffer": "^4.2.0"
+      }
+    },
+    "sparse-bitfield": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/sparse-bitfield/-/sparse-bitfield-3.0.3.tgz",
+      "integrity": "sha512-kvzhi7vqKTfkh0PZU+2D2PIllw2ymqJKujUcyPMd9Y75Nv4nPbGJZXNhxsgdQab2BmlDct1YnfQCguEvHr7VsQ==",
+      "optional": true,
+      "requires": {
+        "memory-pager": "^1.0.2"
+      }
+    },
+    "tr46": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-3.0.0.tgz",
+      "integrity": "sha512-l7FvfAHlcmulp8kr+flpQZmVwtu7nfRV7NZujtN0OqES8EL4O4e0qqzL0DC5gAvx/ZC/9lk6rhcUwYvkBnBnYA==",
+      "requires": {
+        "punycode": "^2.1.1"
+      }
+    },
+    "webidl-conversions": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
+      "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g=="
+    },
+    "whatwg-url": {
+      "version": "11.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-11.0.0.tgz",
+      "integrity": "sha512-RKT8HExMpoYx4igMiVMY83lN6UeITKJlBQ+vR/8ZJ8OCdSiN3RwCq+9gH0+Xzj0+5IrM6i4j/6LuvzbZIQgEcQ==",
+      "requires": {
+        "tr46": "^3.0.0",
+        "webidl-conversions": "^7.0.0"
+      }
+    }
+  }
+}

migration/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "migration",
+  "version": "1.0.0",
+  "description": "As Infisical's codebase matures, there are structural things that we need to change.",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "dotenv": "^16.0.3",
+    "mongoose": "^7.2.1"
+  }
+}

migration/scripts/reencrypt_under_256_key.js

@@ -0,0 +1,177 @@
+require('dotenv').config();
+const crypto = require('crypto');
+const mongoose = require('mongoose');
+const Bot = require('../models/bot');
+const SecretBlindIndexData = require('../models/secretBlindIndexData');
+
+const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY; // 16-byte hex encryption key to migrate from
+const ROOT_ENCRYPTION_KEY = process.env.ROOT_ENCRYPTION_KEY; // 32-byte base64 encryption key to migrate to
+
+const ALGORITHM_AES_256_GCM = 'aes-256-gcm';
+const ENCODING_SCHEME_UTF8 = 'utf8';
+const ENCODING_SCHEME_BASE64 = 'base64';
+
+const decryptSymmetric = ({
+    ciphertext,
+    iv,
+    tag,
+    key
+}) => {
+    const decipher = crypto.createDecipheriv(
+        'aes-256-gcm',
+        key,
+        Buffer.from(iv, ENCODING_SCHEME_BASE64)
+    );
+
+    decipher.setAuthTag(Buffer.from(tag, ENCODING_SCHEME_BASE64));
+
+    let cleartext = decipher.update(ciphertext, ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8);
+    cleartext += decipher.final('utf8');
+    
+    return cleartext;
+}
+
+const encryptSymmetric = (
+	plaintext,
+	key
+) => {
+    const iv = crypto.randomBytes(12);
+
+    const secretKey = crypto.createSecretKey(key, ENCODING_SCHEME_BASE64);
+    const cipher = crypto.createCipheriv(ALGORITHM_AES_256_GCM, secretKey, iv);
+
+    let ciphertext = cipher.update(plaintext, ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64);
+    ciphertext += cipher.final(ENCODING_SCHEME_BASE64);
+
+	return {
+		ciphertext,
+		iv: iv.toString(ENCODING_SCHEME_BASE64),
+		tag: cipher.getAuthTag().toString(ENCODING_SCHEME_BASE64)
+	};
+};
+
+/**
+ * Validate that encryption key [key] is encoded in [encoding] and [bytes] bytes
+ * @param {String} key - encryption key to validate
+ * @param {String} encoding - encoding like hex or base64
+ * @param {Number} bytes - number of bytes
+ */
+const validateEncryptionKey = (encryptionKey, encoding, bytes) => {
+    const keyBuffer = Buffer.from(encryptionKey, encoding);
+    const decoded = keyBuffer.toString(encoding);
+
+    if (decoded !== encryptionKey) throw Error({
+        message: `Failed to validate that encryption key is encoded in ${encoding}`
+    });
+    
+    if (keyBuffer.length !== bytes) throw Error({
+        message: `Failed to validate that encryption key is ${bytes} bytes`
+    }); 
+}
+
+const main = async () => {
+
+    // validate that ENCRYPTION_KEY is a 16-byte hex string
+    validateEncryptionKey(ENCRYPTION_KEY, 'hex', 16);
+
+    // validate that ROOT_ENCRYPTION_KEY is a 32-byte base64 string
+    validateEncryptionKey(ROOT_ENCRYPTION_KEY, 'base64', 32);
+
+    mongoose.connect(process.env.MONGO_URI)
+        .then(async () => {
+            console.log('Connected!');
+            
+            if (ENCRYPTION_KEY && ROOT_ENCRYPTION_KEY) {
+
+                // re-encrypt bot private keys
+                const bots = await Bot.find({
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
+                }).select('+encryptedPrivateKey iv tag algorithm keyEncoding workspace');
+                
+                if (bots.length > 0) {
+                    const operationsBot = await Promise.all(
+                        bots.map(async (bot) => {
+                            
+                            const privateKey = decryptSymmetric({
+                                ciphertext: bot.encryptedPrivateKey,
+                                iv: bot.iv,
+                                tag: bot.tag,
+                                key: ENCRYPTION_KEY
+                            });
+
+                            const {
+                                ciphertext: encryptedPrivateKey,
+                                iv,
+                                tag
+                            } = encryptSymmetric(privateKey, ROOT_ENCRYPTION_KEY);
+                            
+                            return ({
+                                updateOne: {
+                                    filter: {
+                                        _id: bot._id
+                                    },
+                                    update: {
+                                        encryptedPrivateKey,
+                                        iv,
+                                        tag,
+                                        algorithm: ALGORITHM_AES_256_GCM,
+                                        keyEncoding: ENCODING_SCHEME_BASE64
+                                    }
+                                }
+                            })
+                        })
+                    );
+
+                    const botBulkWriteResult = await Bot.bulkWrite(operationsBot);
+                    console.log('botBulkWriteResult: ', botBulkWriteResult);
+                }
+            
+                // re-encrypt secret blind index data salts
+                const secretBlindIndexData = await SecretBlindIndexData.find({
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
+                }).select('+encryptedSaltCiphertext +saltIV +saltTag +algorithm +keyEncoding');
+                
+                if (secretBlindIndexData.length > 0) {
+                    const operationsSecretBlindIndexData = await Promise.all(
+                        secretBlindIndexData.map(async (secretBlindIndexDatum) => {
+            
+                            const salt = decryptSymmetric({
+                                ciphertext: secretBlindIndexDatum.encryptedSaltCiphertext,
+                                iv: secretBlindIndexDatum.saltIV,
+                                tag: secretBlindIndexDatum.saltTag,
+                                key: ENCRYPTION_KEY
+                            });
+                            
+                            const {
+                                ciphertext: encryptedSaltCiphertext,
+                                iv: saltIV,
+                                tag: saltTag
+                            } = encryptSymmetric(salt, ROOT_ENCRYPTION_KEY);
+            
+                            return ({
+                                updateOne: {
+                                    filter: {
+                                        _id: secretBlindIndexDatum._id
+                                    },
+                                    update: {
+                                        encryptedSaltCiphertext,
+                                        saltIV,
+                                        saltTag,
+                                        algorithm: ALGORITHM_AES_256_GCM,
+                                        keyEncoding: ENCODING_SCHEME_BASE64
+                                    }
+                                }
+                            })
+                        })
+                    );
+                    
+                    const secretBlindIndexDataBulkWriteResult = await SecretBlindIndexData.bulkWrite(operationsSecretBlindIndexData);
+                    console.log('secretBlindIndexDataBulkWriteResult: ', secretBlindIndexDataBulkWriteResult);
+                }
+            }
+        });
+}
+
+main();