From a23aa53cbdc3a7e6c13b1b455398a5b609a228ee Mon Sep 17 00:00:00 2001 From: Erik Tate Date: Fri, 27 Jun 2025 14:59:24 -0400 Subject: [PATCH] adding file configuration for encrypted session recording --- lib/config/configuration.go | 7 +++++++ lib/config/fileconf.go | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 24da1fcbeed08..32768ac4677a6 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -951,9 +951,16 @@ func applyAuthConfig(fc *FileConfig, cfg *servicecfg.Config) error { // Only override session recording configuration if either field is // specified in file configuration. if fc.Auth.hasCustomSessionRecording() { + var encryption *types.SessionRecordingEncryptionConfig + if fc.Auth.SessionRecordingEncryption != nil && fc.Auth.SessionRecordingEncryption.Value { + encryption = &types.SessionRecordingEncryptionConfig{ + Enabled: true, + } + } cfg.Auth.SessionRecordingConfig, err = types.NewSessionRecordingConfigFromConfigFile(types.SessionRecordingConfigSpecV2{ Mode: fc.Auth.SessionRecording, ProxyChecksHostKeys: fc.Auth.ProxyChecksHostKeys, + Encryption: encryption, }) if err != nil { return trace.Wrap(err) diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go index da1997b83bb47..64afba3a3793a 100644 --- a/lib/config/fileconf.go +++ b/lib/config/fileconf.go @@ -732,6 +732,9 @@ type Auth struct { // determines if the proxy will check the host key of the client or not. ProxyChecksHostKeys *types.BoolOption `yaml:"proxy_checks_host_keys,omitempty"` + // SessionRecordingEncryption enables or disables encryption of session recordings. + SessionRecordingEncryption *types.BoolOption `yaml:"session_recording_encryption,omitempty"` + // LicenseFile is a path to the license file. The path can be either absolute or // relative to the global data dir LicenseFile string `yaml:"license_file,omitempty"` @@ -873,7 +876,8 @@ func (a *Auth) hasCustomNetworkingConfig() bool { func (a *Auth) hasCustomSessionRecording() bool { empty := Auth{} return a.SessionRecording != empty.SessionRecording || - a.ProxyChecksHostKeys != empty.ProxyChecksHostKeys + a.ProxyChecksHostKeys != empty.ProxyChecksHostKeys || + a.SessionRecordingEncryption != empty.SessionRecordingEncryption } // CAKeyParams configures how CA private keys will be created and stored.