Skip to content

migrate message encryption to AEAD (AES‑GCM) + HKDF #5530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
naiming-zededa wants to merge 1 commit into
base: master
Choose a base branch
from
Open

migrate message encryption to AEAD (AES‑GCM) + HKDF #5530

naiming-zededa wants to merge 1 commit into from
+178 −24

Conversation

@naiming-zededa
Copy link
Contributor

@naiming-zededa naiming-zededa commented Jan 5, 2026

Description

  • replace the legacy encryption path with AEAD (AES-GCM) and derive per-session AES keys with HKDF-SHA256.
  • if configured with encryption, force explicit nonce/cipher validation
  • fix a yetus complaint

PR dependencies

How to test and validate this PR

  • first, need to enable the Edgeview policy (for the project or for specific edge-node) w/ 'Encrypt Session' to be 'Yes'.
  • Update the edge-node to the eve image w/ this patch
    • use the latest Edgeview container for the client side, edgeview should work normally
    • use the previous version of Edgeview container for the client side, it should get the message from the remote
    • Edgeview encrypted message missing or invalid IV. Need Edgeview Client version 0.8.8 or higher, and exits.
    • Also, in the edge-node logs, it should say the validation failed

Changelog notes

migrate message encryption to AEAD (AES‑GCM) + HKDF

PR Backports

  • 16.0-stable

Checklist

  • I've provided a proper description
  • I've added the proper documentation
  • I've tested my PR on amd64 device
  • I've tested my PR on arm64 device
  • I've written the test verification instructions
  • I've set the proper labels to this PR

For backport PRs (remove it if it's not a backport):

  • I've added a reference link to the original PR
  • PR's title follows the template

And the last but not least:

  • I've checked the boxes above, or I've provided a good reason why I didn't
    check them.

@naiming-zededa naiming-zededa requested review from shjala and removed request for christoph-zededa and eriknordmark January 5, 2026 21:12
@codecov
Copy link

codecov bot commented Jan 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.08%. Comparing base (2281599) to head (c5b5f4b).
⚠️ Report is 182 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5530      +/-   ##
==========================================
+ Coverage   19.52%   28.08%   +8.55%     
==========================================
  Files          19       19              
  Lines        3021     2314     -707     
==========================================
+ Hits          590      650      +60     
+ Misses       2310     1520     -790     
- Partials      121      144      +23

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@naiming-zededa naiming-zededa added bug Something isn't working stable Should be backported to stable release(s) labels Jan 6, 2026
shjala
shjala reviewed Jan 9, 2026
View reviewed changes
pkg/edgeview/src/crypto.go

// deriveKeyHKDF derives a key of length keyLen from the given 32-byte seed using HKDF-SHA256
// deriveKeyHKDF derives a key of length keyLen from the given 32-byte seed using
// HKDF-SHA256 (RFC 5869). Implemented locally to avoid external dependency on
Copy link
Member

@shjala shjala Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why we don't want to depend on golang.org/x/crypto/hkdf ?

Copy link
Contributor Author

@naiming-zededa naiming-zededa Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated w/ the golang.org/x/crypto/hkdf library, please review.

@naiming-zededa
migrate message encryption to AEAD (AES‑GCM) + HKDF
c5b5f4b 
- replace the legacy encryption path with AEAD (AES-GCM) and derive
  per-session AES keys with HKDF-SHA256.
- if configured with encryption, force explicit nonce/cipher validation
- fix a yetus complaint

Signed-off-by: naiming-zededa <[email protected]>
@naiming-zededa naiming-zededa force-pushed the naiming-edgeview-AEAD-crypto branch from 7eb81c9 to c5b5f4b Compare January 9, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shjala shjala shjala left review comments

@christoph-zededa christoph-zededa Awaiting requested review from christoph-zededa

@eriknordmark eriknordmark Awaiting requested review from eriknordmark

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working stable Should be backported to stable release(s)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@naiming-zededa @shjala