Skip to content

[v18] Encrypted Session Recordings #57959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eriktate merged 21 commits into from
Sep 3, 2025
Merged

[v18] Encrypted Session Recordings #57959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
741d7c9
adding support for encryption/decryption keys to keystore manager (#5…
eriktate May 29, 2025
a149226
adds new protos for resources related to encrypted session recordings…
eriktate May 29, 2025
74487ac
adding local service implementation for recording encryption resource…
eriktate May 30, 2025
1f8687a
adding Manager for RecordingEncryption resources that handles shared …
eriktate Jun 24, 2025
b930636
Adding session recording plugin for `age` (#55120)
eriktate Jun 24, 2025
09f913f
Adding recording encryption and playback for `sync` modes (#54901)
eriktate Jun 26, 2025
0e7f1bd
adding cache for RecordingEncryption (#55857)
eriktate Jun 26, 2025
d1c941a
adding recording_encryption service protos (#55121)
eriktate Jun 26, 2025
98ad4a6
adding async recording encryption with gRPC multipart uploader (#55859)
eriktate Jun 30, 2025
16115de
adding file configuration for encrypted session recording (#56200)
eriktate Jun 30, 2025
406e949
Switching recording encryption to unwrap keys using direct keystore R…
eriktate Jul 23, 2025
d2fed65
adding manual key management config (#56920)
eriktate Aug 5, 2025
9ecc500
updating protos for recording encryption (#57055)
eriktate Aug 13, 2025
ba509ad
Add missing handling for recording encryption configs and keys (#57279)
eriktate Aug 13, 2025
645832c
adding new protos for rotated keys and the local service for interact…
eriktate Aug 14, 2025
5dd9336
Switching encryption keys from PEM to ASN.1 DER encoding (#58137)
eriktate Aug 21, 2025
736910f
using pregenerated RSA4096 key for keystore tests because generation …
eriktate Aug 20, 2025
7ca8f0b
extending precomputed RSA keys to support 4096-bit keys (#58251)
eriktate Aug 25, 2025
3d37c46
adding rotation process to Manager and exposing with new RPCs and (#5…
eriktate Aug 26, 2025
2a0e2b5
adding rotation sub commands for recording encryption keys and fixing…
eriktate Aug 26, 2025
588f960
using more reliable method of validating key bit length
eriktate Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 52 additions & 4 deletions api/client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ import (
oktapb "github.com/gravitational/teleport/api/gen/proto/go/teleport/okta/v1"
pluginspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1"
presencepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/presence/v1"
recordingencryptionv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
recordingmetadatav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingmetadata/v1"
resourceusagepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1"
samlidppb "github.com/gravitational/teleport/api/gen/proto/go/teleport/samlidp/v1"
Expand Down Expand Up @@ -130,6 +131,7 @@ type AuthServiceClient struct {
auditlogpb.AuditLogServiceClient
userpreferencespb.UserPreferencesServiceClient
notificationsv1pb.NotificationServiceClient
recordingencryptionv1pb.RecordingEncryptionServiceClient
}

// Client is a gRPC Client that connects to a Teleport Auth server either
Expand Down Expand Up @@ -539,10 +541,11 @@ func (c *Client) dialGRPC(ctx context.Context, addr string) error {

c.conn = conn
c.grpc = AuthServiceClient{
AuthServiceClient: proto.NewAuthServiceClient(c.conn),
AuditLogServiceClient: auditlogpb.NewAuditLogServiceClient(c.conn),
UserPreferencesServiceClient: userpreferencespb.NewUserPreferencesServiceClient(c.conn),
NotificationServiceClient: notificationsv1pb.NewNotificationServiceClient(c.conn),
AuthServiceClient: proto.NewAuthServiceClient(c.conn),
AuditLogServiceClient: auditlogpb.NewAuditLogServiceClient(c.conn),
UserPreferencesServiceClient: userpreferencespb.NewUserPreferencesServiceClient(c.conn),
NotificationServiceClient: notificationsv1pb.NewNotificationServiceClient(c.conn),
RecordingEncryptionServiceClient: recordingencryptionv1pb.NewRecordingEncryptionServiceClient(c.conn),
}
c.JoinServiceClient = NewJoinServiceClient(proto.NewJoinServiceClient(c.conn))

Expand Down Expand Up @@ -951,6 +954,12 @@ func (c *Client) RecordingMetadataServiceClient() recordingmetadatav1.RecordingM
return recordingmetadatav1.NewRecordingMetadataServiceClient(c.conn)
}

// RecordingEncryptionServiceClient returns an unadorned client for the session
// recording encryption service.
func (c *Client) RecordingEncryptionServiceClient() recordingencryptionv1pb.RecordingEncryptionServiceClient {
return recordingencryptionv1pb.NewRecordingEncryptionServiceClient(c.conn)
}

// GetVnetConfig returns the singleton VnetConfig resource.
func (c *Client) GetVnetConfig(ctx context.Context) (*vnet.VnetConfig, error) {
return c.VnetConfigServiceClient().GetVnetConfig(ctx, &vnet.GetVnetConfigRequest{})
Expand Down Expand Up @@ -2554,6 +2563,45 @@ func (c *Client) StreamSessionEvents(ctx context.Context, sessionID string, star
return ch, e
}

// UploadEncryptedRecording streams encrypted recording parts to the auth
// server to be saved in long term storage.
func (c *Client) UploadEncryptedRecording(ctx context.Context, sessionID string, parts iter.Seq2[[]byte, error]) error {
createRes, err := c.grpc.CreateUpload(ctx, &recordingencryptionv1pb.CreateUploadRequest{
SessionId: sessionID,
})
if err != nil {
return trace.Wrap(err)
}

var uploadedParts []*recordingencryptionv1pb.Part
var partNumber int64
for part, err := range parts {
if err != nil {
return trace.Wrap(err)
}

uploadRes, err := c.grpc.UploadPart(ctx, &recordingencryptionv1pb.UploadPartRequest{
Upload: createRes.Upload,
PartNumber: partNumber,
Part: part,
})
if err != nil {
return trace.Wrap(err)
}
uploadedParts = append(uploadedParts, uploadRes.Part)
partNumber++
}

if _, err := c.grpc.CompleteUpload(ctx, &recordingencryptionv1pb.CompleteUploadRequest{
Upload: createRes.Upload,
Parts: uploadedParts,
}); err != nil {
return trace.Wrap(err)
}

return nil
}

// SearchEvents allows searching for events with a full pagination support.
func (c *Client) SearchEvents(ctx context.Context, fromUTC, toUTC time.Time, namespace string, eventTypes []string, limit int, order types.EventOrder, startKey string) ([]events.AuditEvent, string, error) {
request := &proto.GetEventsRequest{
Expand Down
8 changes: 8 additions & 0 deletions api/client/events.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
notificationsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1"
provisioningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1"
recordingencryptionv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
accessv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/scopes/access/v1"
userprovisioningpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2"
usertasksv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1"
Expand Down Expand Up @@ -156,6 +157,10 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
out.Resource = &proto.Event_WorkloadIdentityX509Revocation{
WorkloadIdentityX509Revocation: r.UnwrapT(),
}
case types.Resource153UnwrapperT[*recordingencryptionv1.RecordingEncryption]:
out.Resource = &proto.Event_RecordingEncryption{
RecordingEncryption: r.UnwrapT(),
}
case types.Resource153UnwrapperT[*healthcheckconfigv1.HealthCheckConfig]:
out.Resource = &proto.Event_HealthCheckConfig{
HealthCheckConfig: r.UnwrapT(),
Expand Down Expand Up @@ -660,6 +665,9 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
} else if r := in.GetPlugin(); r != nil {
out.Resource = r
return &out, nil
} else if r := in.GetRecordingEncryption(); r != nil {
out.Resource = types.ProtoResource153ToLegacy(r)
return &out, nil
} else {
return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
}
Expand Down
40 changes: 31 additions & 9 deletions api/client/proto/event.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading