Add group encryption key backend (!112681) · Merge requests · GitLab.org / GitLab

Pascal Zumkehr requested to merge gitlab-community/gitlab:group-encryption-keys-backend into master Feb 22, 2023

What does this MR do and why?

Adds group encryption keys so each organization is able to en-/decrypt CI variables in the database with their own key. This is part of issue #378386 (closed) and supersedes MR !112547 (closed). The database model is created in the previous MR !112679 (closed) (consisting of the first commit here, which may be ignored for this MR).

The GroupEncryptionKey model holds the optional encryption key for each (root) group. If such a key exists, it is used to en-/decrypt all descendant CI variables of this group. Whenever the key for a group is changed, the values of all descendant CI variables are re-encrypted with the new key in a background job. The same happens when a group or a project is transferred to another root group.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Add group encryption key backend

What does this MR do and why?

MR acceptance checklist

Merge request reports