Skip to content

Adding recording encryption and playback for sync modes #54901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 26, 2025
Merged

Adding recording encryption and playback for sync modes #54901

merged 5 commits into from
Jun 26, 2025

Conversation

eriktate
Copy link
Contributor

@eriktate eriktate commented May 16, 2025
edited
Loading

This PR is in support of the encrypted session recordings RFD. It adds encrypted session recording with decrypted playback for sync recording modes. It can be enabled by using tctl to set encryption.enabled: true in your session_recording_config:

spec:
  encryption:
    enabled: true

It will use whichever CA keystore is configured in order to provision the necessary key encryption keys, which by default uses software keys

@eriktate eriktate force-pushed the eriktate/integrating-recording-encryption-service branch from 74655a4 to e2ffb6f Compare May 16, 2025 22:24
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 105b5cc to e7a2e93 Compare May 22, 2025 22:30
@eriktate eriktate changed the base branch from eriktate/integrating-recording-encryption-service to eriktate/encrypted-recording-manager May 22, 2025 22:42
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from e7a2e93 to 13c4954 Compare May 23, 2025 20:44
@eriktate eriktate force-pushed the eriktate/encrypted-recording-manager branch 2 times, most recently from 1a198d9 to 7713063 Compare May 23, 2025 20:51
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 13c4954 to 2b59995 Compare May 23, 2025 20:52
@eriktate eriktate changed the base branch from eriktate/encrypted-recording-manager to eriktate/encrypted-recording-age-plugin May 23, 2025 21:09
@eriktate eriktate marked this pull request as ready for review May 23, 2025 21:21
@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log size/lg labels May 23, 2025
rosstimothy
rosstimothy reviewed May 27, 2025
View reviewed changes
@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch 3 times, most recently from 91b056c to 6cbe77d Compare May 28, 2025 18:41
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 2b59995 to 28e5480 Compare May 28, 2025 18:42
@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch from 6cbe77d to b3233d2 Compare May 28, 2025 20:57
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch 2 times, most recently from d7299df to 01e20fb Compare May 30, 2025 02:42
@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch from b3233d2 to 7804aab Compare May 30, 2025 13:02
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 01e20fb to 04c6341 Compare May 30, 2025 13:03
rosstimothy
rosstimothy reviewed May 30, 2025
View reviewed changes
Copy link
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eriktate what do you think about splitting out the changes here that are dedicated to caching and the event stream to a separate PR?

@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch 2 times, most recently from f5a8502 to 946c684 Compare May 30, 2025 18:31
@public-teleport-github-review-bot
Copy link

@eriktate - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch 2 times, most recently from fdfc71a to 40380b1 Compare June 3, 2025 00:31
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 946c684 to affe736 Compare June 3, 2025 00:31
@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch from d4f7490 to e2f11a4 Compare June 24, 2025 19:33
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 41804ad to e9ec376 Compare June 24, 2025 19:33
@eriktate eriktate force-pushed the eriktate/encrypted-recording-age-plugin branch from e2f11a4 to 92a6d14 Compare June 24, 2025 20:24
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from e9ec376 to 5d49ccd Compare June 24, 2025 20:24
rosstimothy
rosstimothy approved these changes Jun 24, 2025
View reviewed changes
Base automatically changed from eriktate/encrypted-recording-age-plugin to master June 24, 2025 21:57
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from fddaaf7 to f6fc84e Compare June 24, 2025 22:44
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from f6fc84e to f5e7591 Compare June 24, 2025 23:17
@eriktate
Copy link
Contributor Author

@doggydogworld friendly bump!

Joerger
Joerger reviewed Jun 25, 2025
View reviewed changes
Copy link
Contributor

@Joerger Joerger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a PR description / link to relevant issues?

In particular I'd like to understand how strict the encryption is or any configuration needed to make it work.

Overall LGTM though.

lib/auth/recordingencryption/encryptedio_test.go Outdated
)

func TestEncryptedIO(t *testing.T) {
ctx := context.Background()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to apply this suggestion?

@eriktate eriktate requested a review from Joerger June 26, 2025 15:29
@eriktate eriktate force-pushed the eriktate/sync-recording-encryption branch from 10d4693 to 9bd4a4a Compare June 26, 2025 15:43
Joerger
Joerger reviewed Jun 26, 2025
View reviewed changes
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from doggydogworld June 26, 2025 18:50
@eriktate eriktate added this pull request to the merge queue Jun 26, 2025
Merged via the queue into master with commit 55532fa Jun 26, 2025
42 checks passed
@eriktate eriktate deleted the eriktate/sync-recording-encryption branch June 26, 2025 19:23
eriktate added a commit that referenced this pull request Jun 30, 2025
@eriktate
Adding recording encryption and playback for sync modes (#54901)
2c589a9 
adding encryption for sync recording modes
@eriktate eriktate mentioned this pull request Jun 30, 2025
Open
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
Adding recording encryption and playback for sync modes (#54901)
d68f1ba 
* adding encryption for sync recording modes
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
Adding recording encryption and playback for sync modes (#54901)
6e40ab5 
adding encryption for sync recording modes
@eriktate eriktate mentioned this pull request Jul 1, 2025
Open
eriktate added a commit that referenced this pull request Jul 1, 2025
@eriktate
Adding recording encryption and playback for sync modes (#54901)
c420ec8 
* adding encryption for sync recording modes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Joerger Joerger Joerger approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log no-changelog Indicates that a PR does not require a changelog entry size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eriktate @Joerger @rosstimothy