fix(docker): replace anonymous docker volume with env variable for encrypting secrets (#1809)

2026-01-30 19:29:17 +01:00 · 2024-12-31 11:30:29 +01:00
parent 91e1cef611
commit 56b57ad171
11 changed files with 66 additions and 62 deletions
--- a/packages/common/src/encryption.ts
+++ b/packages/common/src/encryption.ts
@@ -1,20 +1,12 @@
 import crypto from "crypto";

-import { logger } from "@homarr/log";
+import { env } from "../env.mjs";

 const algorithm = "aes-256-cbc"; //Using AES encryption
-const fallbackKey = "0000000000000000000000000000000000000000000000000000000000000000";
-const encryptionKey = process.env.ENCRYPTION_KEY ?? fallbackKey; // Fallback to a default key for local development
-if (encryptionKey === fallbackKey) {
-  logger.warn("Using a fallback encryption key, stored secrets are not secure");

-  // We never want to use the fallback key in production
-  if (process.env.NODE_ENV === "production" && process.env.CI !== "true") {
-    throw new Error("Encryption key is not set");
-  }
-}
-
-const key = Buffer.from(encryptionKey, "hex");
+// We fallback to a key of 0s if the key was not provided because env validation was skipped
+// This should only be the case in CI
+const key = Buffer.from(env.SECRET_ENCRYPTION_KEY || "0".repeat(64), "hex");

 export function encryptSecret(text: string): `${string}.${string}` {
  const initializationVector = crypto.randomBytes(16);