rusackas opened a new pull request, #40654: URL: https://github.com/apache/superset/pull/40654
> **Draft / `hold:testing`** — proposal for discussion. This PR ships only the backward-compatible Phase 1 (engine selection) plus a SIP document; it does **not** flip the default or migrate existing data. ### SUMMARY App-encrypted fields (database passwords, SSH tunnel credentials, OAuth tokens, …) use `sqlalchemy_utils.EncryptedType`, which defaults to **`AesEngine` (AES-CBC)** — unauthenticated encryption. An attacker with write access to the ciphertext at rest (metadata DB, backup, replica) can perform bit-flipping / chosen-ciphertext manipulation to silently alter a decrypted secret. **`AesGcmEngine` (AES-GCM)** is authenticated and fails closed on tampering. This PR is **Phase 1** of the proposal in [`docs/sip/authenticated-encryption-at-rest.md`](docs/sip/authenticated-encryption-at-rest.md) (included in this PR): - Adds `SQLALCHEMY_ENCRYPTED_FIELD_ENGINE` config (`"aes"` | `"aes-gcm"`), **defaulting to `"aes"`** — zero behavior change for existing installs. - The default `SQLAlchemyUtilsAdapter` now honors it; an explicit `engine` kwarg still wins (so the future migrator can pin an engine). Unknown values fall back to AES-CBC. - New deployments can opt into AES-GCM with one config line instead of writing a custom adapter. The SIP describes **Phase 2** (a CBC→GCM re-encryption migrator built on the existing `SecretsMigrator` + a CLI command) and **Phase 3** (flip the default for fresh installs). The instance-wide re-encryption migration is intentionally **not** implemented here — it's the subject of the SIP, because flipping the engine on a populated DB without migrating first makes existing secrets undecryptable. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/utils/encrypt_test.py ``` New unit tests: default engine is AES-CBC; `"aes-gcm"` selects AES-GCM; unknown name falls back to AES-CBC; an explicit `engine` kwarg overrides config. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [x] Introduces new feature or API (opt-in config; no default change) - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
