fix: removed recovery

backend/package.json

@@ -195,7 +195,6 @@
     "safe-regex": "^2.1.1",
     "scim-patch": "^0.8.3",
     "scim2-parse-filter": "^0.2.10",
-    "secrets.js-grempe": "^2.0.0",
     "sjcl": "^1.0.8",
     "smee-client": "^2.0.0",
     "snowflake-sdk": "^1.14.0",

backend/src/ee/services/license/license-fns.ts

@@ -29,6 +29,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   auditLogStreams: false,
   auditLogStreamLimit: 3,
   samlSSO: false,
+  hsm: true,
   oidcSSO: false,
   scim: false,
   ldap: false,

backend/src/ee/services/license/license-types.ts

@@ -46,6 +46,7 @@ export type TFeatureSet = {
   auditLogStreams: false;
   auditLogStreamLimit: 3;
   samlSSO: false;
+  hsm: false;
   oidcSSO: false;
   scim: false;
   ldap: false;

backend/src/lib/crypto/index.ts

@@ -18,6 +18,5 @@ export {
   decryptSecrets,
   decryptSecretVersions
 } from "./secret-encryption";
-export { shamirsService } from "./shamirs";
 export { verifyOfflineLicense } from "./signing";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";

backend/src/server/routes/v1/admin-router.ts

@@ -196,54 +196,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/kms-export",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          secretParts: z.array(z.string())
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async () => {
-      const keyParts = await server.services.superAdmin.exportPlainKmsKey();
-
-      return {
-        secretParts: keyParts
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/kms-import",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        secretParts: z.array(z.string())
-      })
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      await server.services.superAdmin.importPlainKmsKey(req.body.secretParts);
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/root-kms-config",
@@ -259,8 +211,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
               name: z.string(),
               enabled: z.boolean()
             })
-            .array(),
-          keyExported: z.boolean()
+            .array()
         })
       }
     },

backend/src/services/kms/kms-service.ts

@@ -11,7 +11,7 @@ import {
 } from "@app/ee/services/external-kms/providers/model";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { randomSecureBytes, shamirsService } from "@app/lib/crypto";
+import { randomSecureBytes } from "@app/lib/crypto";
 import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -667,31 +667,6 @@ export const kmsServiceFactory = ({
     throw new Error(`Invalid root key encryption strategy: ${strategy}`);
   };
 
-  const exportRootEncryptionKeyParts = () => {
-    if (!ROOT_ENCRYPTION_KEY) {
-      throw new Error("Root encryption key not set");
-    }
-
-    const parts = shamirsService().share(ROOT_ENCRYPTION_KEY, 8, 4);
-
-    return parts;
-  };
-
-  const importRootEncryptionKey = async (parts: string[]) => {
-    const decryptedRootKey = shamirsService().combine(parts);
-
-    const encryptedRootKey = symmetricCipherService(SymmetricEncryption.AES_GCM_256).encrypt(
-      decryptedRootKey,
-      $getBasicEncryptionKey()
-    );
-
-    await kmsRootConfigDAL.updateById(KMS_ROOT_CONFIG_UUID, {
-      encryptedRootKey,
-      encryptionStrategy: RootKeyEncryptionStrategy.Basic
-    });
-    ROOT_ENCRYPTION_KEY = decryptedRootKey;
-  };
-
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
   // NOTICE: If changing here update migrations/utils/kms
@@ -972,8 +947,6 @@ export const kmsServiceFactory = ({
     getProjectKeyBackup,
     loadProjectKeyBackup,
     getKmsById,
-    createCipherPairWithDataKey,
-    exportRootEncryptionKeyParts,
-    importRootEncryptionKey
+    createCipherPairWithDataKey
   };
 };

backend/src/services/super-admin/super-admin-service.ts

@@ -23,14 +23,7 @@ type TSuperAdminServiceFactoryDep = {
   serverCfgDAL: TSuperAdminDALFactory;
   userDAL: TUserDALFactory;
   authService: Pick<TAuthLoginFactory, "generateUserTokens">;
-  kmsService: Pick<
-    TKmsServiceFactory,
-    | "encryptWithRootKey"
-    | "decryptWithRootKey"
-    | "exportRootEncryptionKeyParts"
-    | "importRootEncryptionKey"
-    | "updateEncryptionStrategy"
-  >;
+  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
   kmsRootConfigDAL: TKmsRootConfigDALFactory;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
   keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
@@ -162,35 +155,6 @@ export const superAdminServiceFactory = ({
     return updatedServerCfg;
   };
 
-  const exportPlainKmsKey = async () => {
-    const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-
-    if (!kmsRootConfig) {
-      throw new NotFoundError({ name: "KmsRootConfig", message: "KMS root configuration not found" });
-    }
-
-    if (kmsRootConfig.exported) {
-      throw new BadRequestError({ name: "KmsRootConfig", message: "KMS root configuration already exported" });
-    }
-
-    await kmsRootConfigDAL.updateById(KMS_ROOT_CONFIG_UUID, { exported: true });
-    return kmsService.exportRootEncryptionKeyParts();
-  };
-
-  const importPlainKmsKey = async (secretParts: string[]) => {
-    const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-
-    if (!kmsRootConfig) {
-      throw new NotFoundError({ name: "KmsRootConfig", message: "KMS root configuration not found" });
-    }
-
-    if (!kmsRootConfig.exported) {
-      throw new BadRequestError({ name: "KmsRootConfig", message: "KMS root configuration was never exported" });
-    }
-
-    await kmsService.importRootEncryptionKey(secretParts);
-  };
-
   const adminSignUp = async ({
     lastName,
     firstName,
@@ -361,12 +325,17 @@ export const superAdminServiceFactory = ({
     }
 
     return {
-      strategies: enabledStrategies,
-      keyExported: kmsRootCfg.exported
+      strategies: enabledStrategies
     };
   };
 
   const updateRootEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
+    if (!licenseService.onPremFeatures.hsm) {
+      throw new BadRequestError({
+        message: "Failed to update encryption strategy due to plan restriction. Upgrade to Infisical's Enterprise plan."
+      });
+    }
+
     const configuredStrategies = await getConfiguredEncryptionStrategies();
 
     const foundStrategy = configuredStrategies.strategies.find((s) => s.strategy === strategy);
@@ -390,8 +359,6 @@ export const superAdminServiceFactory = ({
     deleteUser,
     getAdminSlackConfig,
     updateRootEncryptionStrategy,
-    getConfiguredEncryptionStrategies,
-    exportPlainKmsKey,
-    importPlainKmsKey
+    getConfiguredEncryptionStrategies
   };
 };

cli/packages/api/api.go

@@ -525,40 +525,3 @@ func CallUpdateRawSecretsV3(httpClient *resty.Client, request UpdateRawSecretByN
 
 	return nil
 }
-
-func CallExportKmsRootEncryptionKey(httpClient *resty.Client) (ExportKmsRootKeyResponse, error) {
-	var exportKmsKeyResponse ExportKmsRootKeyResponse
-	response, err := httpClient.
-		R().
-		SetResult(&exportKmsKeyResponse).
-		SetHeader("User-Agent", USER_AGENT).
-		Post(fmt.Sprintf("%v/v1/admin/kms-export", config.INFISICAL_URL))
-
-	if err != nil {
-		return ExportKmsRootKeyResponse{}, fmt.Errorf("CallSuperAdminExportKmsKey: Unable to complete api request [err=%w]", err)
-	}
-
-	if response.IsError() {
-		return ExportKmsRootKeyResponse{}, fmt.Errorf("CallSuperAdminExportKmsKey: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
-	}
-
-	return exportKmsKeyResponse, nil
-}
-
-func CallImportKmsRootEncryptionKey(httpClient *resty.Client, request ImportKmsRootKeyRequest) error {
-	response, err := httpClient.
-		R().
-		SetHeader("User-Agent", USER_AGENT).
-		SetBody(request).
-		Post(fmt.Sprintf("%v/v1/admin/kms-import", config.INFISICAL_URL))
-
-	if err != nil {
-		return fmt.Errorf("CallSuperAdminImportKmsKey: Unable to complete api request [err=%w]", err)
-	}
-
-	if response.IsError() {
-		return fmt.Errorf("CallSuperAdminImportKmsKey: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
-	}
-
-	return nil
-}

cli/packages/api/model.go

@@ -617,11 +617,3 @@ type GetRawSecretV3ByNameResponse struct {
 	} `json:"secret"`
 	ETag string
 }
-
-type ExportKmsRootKeyResponse struct {
-	SecretParts []string `json:"secretParts"`
-}
-
-type ImportKmsRootKeyRequest struct {
-	SecretParts []string `json:"secretParts"`
-}