fix(docker): replace anonymous docker volume with env variable for encrypting secrets (#1809)

2026-01-29 10:49:14 +01:00 · 2024-12-31 11:30:29 +01:00
parent 91e1cef611
commit 56b57ad171
11 changed files with 66 additions and 62 deletions
--- a/packages/common/env.mjs
+++ b/packages/common/env.mjs
@@ -0,0 +1,28 @@
+import { randomBytes } from "crypto";
+import { createEnv } from "@t3-oss/env-nextjs";
+import { z } from "zod";
+
+const errorSuffix = `, please generate a 64 character secret in hex format or use the following: "${randomBytes(32).toString("hex")}"`;
+
+export const env = createEnv({
+  server: {
+    SECRET_ENCRYPTION_KEY: z
+      .string({
+        required_error: `SECRET_ENCRYPTION_KEY is required${errorSuffix}`,
+      })
+      .min(64, {
+        message: `SECRET_ENCRYPTION_KEY has to be 64 characters${errorSuffix}`,
+      })
+      .max(64, {
+        message: `SECRET_ENCRYPTION_KEY has to be 64 characters${errorSuffix}`,
+      })
+      .regex(/^[0-9a-fA-F]{64}$/, {
+        message: `SECRET_ENCRYPTION_KEY must only contain hex characters${errorSuffix}`,
+      }),
+  },
+  runtimeEnv: {
+    SECRET_ENCRYPTION_KEY: process.env.SECRET_ENCRYPTION_KEY,
+  },
+  skipValidation:
+    Boolean(process.env.CI) || Boolean(process.env.SKIP_ENV_VALIDATION) || process.env.npm_lifecycle_event === "lint",
+});
--- a/packages/common/package.json
+++ b/packages/common/package.json
@@ -8,7 +8,8 @@
    ".": "./index.ts",
    "./types": "./src/types.ts",
    "./server": "./src/server.ts",
-    "./client": "./src/client.ts"
+    "./client": "./src/client.ts",
+    "./env.mjs": "./env.mjs"
  },
  "typesVersions": {
    "*": {
--- a/packages/common/src/encryption.ts
+++ b/packages/common/src/encryption.ts
@@ -1,20 +1,12 @@
 import crypto from "crypto";

-import { logger } from "@homarr/log";
+import { env } from "../env.mjs";

 const algorithm = "aes-256-cbc"; //Using AES encryption
-const fallbackKey = "0000000000000000000000000000000000000000000000000000000000000000";
-const encryptionKey = process.env.ENCRYPTION_KEY ?? fallbackKey; // Fallback to a default key for local development
-if (encryptionKey === fallbackKey) {
-  logger.warn("Using a fallback encryption key, stored secrets are not secure");

-  // We never want to use the fallback key in production
-  if (process.env.NODE_ENV === "production" && process.env.CI !== "true") {
-    throw new Error("Encryption key is not set");
-  }
-}
-
-const key = Buffer.from(encryptionKey, "hex");
+// We fallback to a key of 0s if the key was not provided because env validation was skipped
+// This should only be the case in CI
+const key = Buffer.from(env.SECRET_ENCRYPTION_KEY || "0".repeat(64), "hex");

 export function encryptSecret(text: string): `${string}.${string}` {
  const initializationVector = crypto.randomBytes(16);