feat(store): encrypted filestore by Benehiko · Pull Request #29 · docker/secrets-engine

Benehiko · 2025-06-23T07:17:32Z

This commit introduces an encrypted filestore backed by the os.Root type,
which enforces a flat storage structure confined to a specific directory.
Each secret is stored per encryption function in its own file, alongside a
public metadata file in JSON format. Filenames are base64-encoded secret
IDs to avoid issues with forward slashes ("/") and other special characters.

All secret files are encrypted with the filippo.io/age library, which
supports multiple encryption and decryption methods, including hardware
keys, SSH keys, and custom plugins. The store cannot follow symlinks
outside the directory specified by os.Root, ensuring stronger isolation.

Copilot

Pull Request Overview

This pull request implements an encrypted filestore for storing secrets on disk using filippo.io/age encryption. The implementation creates a new file-based storage backend that encrypts secret contents while keeping metadata unencrypted.

Adds encrypted filestore package with encryption/decryption using filippo.io/age library
Refactors Factory type to be shared across store implementations
Updates Go version requirement to 1.25

Reviewed Changes

Copilot reviewed 5 out of 105 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
store/store.go	Adds shared Factory type definition for secret instantiation
store/keychain/keychain.go	Updates to use shared Factory type from store package
store/go.mod	Updates Go version to 1.25 and adds filippo.io/age dependency
store/filestore/filestore.go	New encrypted filestore implementation with core functionality
store/filestore/filestore_test.go	Comprehensive test suite for filestore operations

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

store/filestore/filestore.go

store/go.mod

store/posixage/filestore.go

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

store/posixage/store.go

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

store/posixage/store.go

store/posixage/store_test.go

joe0BAB · 2025-09-19T06:53:17Z

store/posixage/internal/secretfile/secret.go

+//
+// If any step fails, the directory is removed to prevent partial or
+// inconsistent state. An error is returned in such cases.
+func Persist(id store.ID, root *os.Root, metadata map[string]string, secrets []EncryptedSecret) error {


non-blocking (eg for follow up PR): some small test that verifies the combination of Persist/Restore works

(I know we implicitly cover this on the next layer above / in store_test.go, it's still helpful eg when troubleshooting/debugging to easily spot what works independently and what not)

joe0BAB

LGTM! ~~(the missing unlock calls should be fixed before merging though)~~

(was already fixed, just didn't see as I was logged out..)

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Copilot

Pull Request Overview

Copilot reviewed 12 out of 158 changed files in this pull request and generated 2 comments.

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

store/posixage/internal/secretfile/secret.go

store/posixage/README.md

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Benehiko force-pushed the filestore branch from 153cf6a to b2fb2ff Compare August 11, 2025 15:07

Benehiko force-pushed the filestore branch 5 times, most recently from 9a5d6d9 to 7fc6e7f Compare September 2, 2025 08:22

Benehiko requested a review from Copilot September 2, 2025 08:23

This comment was marked as outdated.

Sign in to view

Benehiko force-pushed the filestore branch from 7fc6e7f to 5ecd61d Compare September 2, 2025 08:37

Benehiko requested review from joe0BAB and wmluke September 2, 2025 08:37

Benehiko marked this pull request as ready for review September 2, 2025 08:38

Benehiko requested a review from Copilot September 2, 2025 08:38

Benehiko changed the title ~~Filestore~~ feat(store): encrypted filestore Sep 2, 2025

This comment was marked as outdated.

Sign in to view

Benehiko force-pushed the filestore branch from a1eaa22 to a0eb4e3 Compare September 2, 2025 09:46

Benehiko requested a review from Copilot September 2, 2025 09:58

This comment was marked as outdated.

Sign in to view

Benehiko force-pushed the filestore branch from a0eb4e3 to 8e69823 Compare September 2, 2025 10:20

Benehiko requested a review from Copilot September 2, 2025 10:51

Copilot AI reviewed Sep 2, 2025

View reviewed changes

store/filestore/filestore.go Outdated Show resolved Hide resolved

store/filestore/filestore.go Outdated Show resolved Hide resolved

Benehiko force-pushed the filestore branch from 8e69823 to 020812d Compare September 2, 2025 13:15