Skip to content

# feat: Enforcing Database Encryption & Enable HTTPS by default #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 82 commits into
base: main
Choose a base branch
from
Draft

# feat: Enforcing Database Encryption & Enable HTTPS by default #15

wants to merge 82 commits into from

Conversation

groundmuffin
Copy link
Collaborator

@groundmuffin groundmuffin commented Aug 12, 2025
edited
Loading

feat: Enforcing Database Encryption & Enable HTTPS by default

This pull request introduces a set of security enhancements to the Fasten-on-prem application. This implementation ensures that all sensitive data stored in the database is encrypted, and that all communication with the server is secured with HTTPS by default.

Key Features and Changes

1. HTTPS by Default

  • The application now runs on https://localhost:9090 by default, with HTTPS enabled in the configuration.
  • An automatic self-signed TLS certificate generation mechanism creates a local Certificate Authority (CA) to issue a server certificate, ensuring the user's connection is secure out-of-the-box.

2. Automatic Encryption Key Generation

  • On the first run of the application, a unique encryption key is automatically generated for the database.
  • This key is essential for accessing the database and must be saved by the user in a secure location.

3. Startup and Standby Mode

  • The application now includes a startup check to determine if the database is encrypted and if the encryption key is available.
  • If the encryption key is missing, the application will start in a "standby mode." In this mode, most of the application's functionality is disabled, and the user is prompted to provide the encryption key to proceed.

4. Backend Refactoring

  • Configuration: The config.yaml file has been updated to include an encryption.enabled flag (default true) and settings for enabling HTTPS and managing certificate directories.
  • Encryption Key Handling: New handlers and services have been added to the backend to manage the encryption key, including endpoints for retrieving, setting, and validating the key.
  • Database Initialization: The database repository has been refactored to support encryption using SQLCipher.
  • Web Server: The web server has been updated to start with ListenAndServeTLS when HTTPS is enabled, using the generated certificates.

5. Frontend User Experience

  • Encryption Key Wizard: A new wizard guides users through saving their encryption key during the initial setup.
  • Restore Encryption Key: A dedicated page allows users to restore their encryption key if the application is in standby mode.
  • Route Guards: New route guards ensure that the application is only accessible when the encryption key is present and valid.
  • Proxy Configuration: The frontend proxy has been updated to ensure proper communication with the HTTPS backend during local development.

6. Updated Documentation

  • The README.md file has been updated with detailed instructions on how to trust the self-signed root CA certificate on macOS, Windows, and Linux, as well as in Firefox.

How to Test

  1. Trusting the Self-Signed Certificate:

    • Before starting the application, ensure you have a certs directory.
    • Start the application. It will generate a rootCA.pem file in the certs directory.
    • Follow the instructions below to import the certificate into your operating system or browser:
      • macOS: Open Keychain Access, select the System keychain, and import the certs/rootCA.pem file. Set the "Fasten Health CA" certificate to Always Trust.
      • Windows: Double-click the certs/rootCA.pem file, install the certificate to the Local Machine, and place it in the Trusted Root Certification Authorities store.
      • Linux (Ubuntu/Debian): Copy the certificate to /usr/local/share/ca-certificates/fasten-health-ca.crt and run sudo update-ca-certificates.
      • Firefox: Go to Settings > Privacy & Security > Certificates > View Certificates..., import the certs/rootCA.pem file in the Authorities tab, and trust it to identify websites.

  2. First-Time Setup:

    • With the application running, you should be redirected to the encryption key wizard.
    • Follow the instructions to save your encryption key.
    • Once the key is saved, you should be able to proceed with the normal application setup.

  3. Restoring from Standby Mode:

    • Stop the application.
    • Start the application again.
    • You should be redirected to the "Restore Encryption Key" page.
    • Enter your saved encryption key to regain access to the application.

These changes significantly improve the security of the Fasten-on-prem application by ensuring that all user data is encrypted at rest and all data transmitted is secure, providing a safer experience for users.

Quick demos:

  • Trusting CA certificate
trust-ca.mp4
  • Managing DB enryption key
db-enc.mp4

@alexszilagyi
add placeholder stylus version
bc53bde
@alexszilagyi
FO-33 - First version encryption
69adce1
@alexszilagyi
refactor: Refactor check token logic on FE and BE
b3701da 
[FO-33]
@alexszilagyi
FO-33 - Run server without token
e6855b1
@alexszilagyi
FO-33 - Optimization design for setup-token page
349d45e
@alexszilagyi
FO-33 - First change
307953e
@alexszilagyi
FO-33 - Resolve undefined appConfig in handlers
cc276fd
@alexszilagyi
Merge branch 'main' of github.com:TechStackApps/fasten-onprem into FO-33
2e640e2
@alexszilagyi
FO-33 - Remove encrypt_db from .gitignore
e10e886
@alexszilagyi
FO-33 - Use literal string for encryption token
9e98998
@alexszilagyi
FO-33 - Optimization server and handler
d8f2239
@alexszilagyi
FO-33-SSL - add ssl in dockerfile and app
81d2f0d
@alexszilagyi
feat: Improve token wizard flow, add get token component and revamp r…
daf01be 
…estore token UI

[FO-33]
@alexszilagyi
feat: Add redirect to main page button after token is set
1c75427 
[FO-33]
@alexszilagyi
FO-33 - optimization run server
99c3a41
@alexszilagyi
feat: Adjust generate token flow, add mandatory download
9f9e586 
[FO-33]
@alexszilagyi
FO-33 - Validation token connect db
1bfd970
@alexszilagyi
feat: Improve validate token flow, add test token functionality
a7e9d2b 
[FO-33]
@alexszilagyi
FO-33 - fix validate token
f44132c
@alexszilagyi
FO-33 - optimization when token is wrong
53d9ad7
@alexszilagyi
FO-33-SSL - Remove mkcert from dockerfile
e0953f0
@alexszilagyi
FO-33-SSL - ignore only crt and key
0917be9
@alexszilagyi
Merge branch 'main' into FO-33
b50dcdd
@alexszilagyi
Merge branch 'main' into FO-33-SSL
0fe7cce
@alexszilagyi
chore: remove unused var
65931df
@alexszilagyi
chore: remove unused volumes
660781b
@alexszilagyi
chore: rename var name
ce00a70
@alexszilagyi
chore: rename funct
33624e1
@alexszilagyi
chore: refactor encryption-key related components and handlers
a63a3f5
@alexszilagyi
chore: revert stylus change
3b5efd0
alexszilagyi and others added 17 commits August 12, 2025 20:51
@alexszilagyi
misc: cleanup
a900075
@alexszilagyi
chore: adjust backend tests
bc5089c
@alexszilagyi
chore: fix backend test
04ba53a
@alexszilagyi
chore: refactor encryption-key/wizard-restore flow
cd31542
@alexszilagyi
chore: adjust the component with a minimalistic test spec
28e47de
@alexszilagyi
chore: adjust the look of the get-encryption-key-wizard component
80162bc
@alexszilagyi
chore: change the look of get-encryption-key-wizard component
d9f695c
@alexszilagyi
chore: make default config database.encryption false
85cc358
@alexszilagyi
Merge branch 'FO-33' into FO-33-SSL
c7cd704 
# Conflicts:
#	backend/pkg/web/server.go
#	docker-compose.yml
@alexszilagyi
chore: revert Dockerfile changes
5a6f2a7
@alexszilagyi
chore: revert useless changes
5555712
@alexszilagyi
chore: add auto-gen certificates when server runs with https option on
69e3503
@alexszilagyi
chore: adjust ng-cli dev mode options
abe137f
@alexszilagyi
chore: adjust ng-cli dev options
f7ff48a
@alexszilagyi
chore: mount shared certs folder in docker compose
c787892
@alexszilagyi
docs: update launching docs
1cf8635
@groundmuffin
Merge pull request #16 from TechStackApps/FO-33-SSL
266443a 
feat: Enable HTTPS by default with self-signed certificates
@groundmuffin groundmuffin changed the title feat: Enforcing Database Encryption # feat: Enforcing Database Encryption & Enable HTTPS by default Aug 18, 2025
@alexszilagyi
chore: put rootCA-key.pem into shared dir
740345f
@alexszilagyi
Merge branch 'main' into FO-33
8aaf4bf
@alexszilagyi
fix: adjust get-encryption-key component
bbfd960
@alexszilagyi
Merge branch 'main' into FO-33
13418a5 
# Conflicts:
#	backend/pkg/web/server.go
#	frontend/src/app/app-routing.module.ts
#	frontend/src/app/app.module.ts
@alexszilagyi
Merge branch 'main' into FO-33
138a114 
# Conflicts:
#	backend/pkg/config/config.go
#	backend/pkg/web/server.go
#	config.yaml
#	docker-compose-prod.yml
#	frontend/src/app/app-routing.module.ts
#	frontend/src/app/app.module.ts
@alexszilagyi
Merge branch 'main' into FO-33
937417d
@alexszilagyi
chore: define clear stanby flag for the server. refactor frontend flo…
eba8146 
…w arround the flag
@alexszilagyi
fix: clean broken deps
2eb3fde
@alexszilagyi
fix: log messages
62f0830
@alexszilagyi
fix: encryption-status guard logic
85318a9
@alexszilagyi
chore: adjust tls-related info
b32e749
@alexszilagyi
chore: misc
93b8f0a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@alexszilagyi alexszilagyi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@groundmuffin @alexszilagyi