fix: harden secrets at rest using envelope encryption

CHANGELOG.md

@@ -1,3 +1,11 @@
+## v1.11.4 [unreleased]
+
+### Security Fixes
+
+1. [#6211](https://github.com/influxdata/chronograf/pull/6211): Harden secrets-at-rest protections for persisted source and server credentials using envelope encryption.
+   * Add startup migration for legacy plaintext secrets when a secrets master key is configured.
+   * Add `chronoctl` commands for master-key generation, rewrap, and disable workflows.
+
 ## v1.11.3 [2026-05-27]
 
 ### Other

cmd/chronoctl/README.md

@@ -5,10 +5,60 @@ Chronoctl is a tool to interact with an instance of a chronograf's bolt database
 ```
 Available commands:
   add-superadmin  Creates a new superadmin user  (bolt specific)
+  gen-secrets-master-key Generates a secrets master key
   list-users      Lists users                    (bolt specific)
+  disable-secrets-encryption Disables secrets encryption and removes wrapped DEK
+  rewrap-secrets-master-key Rewraps stored DEK with new master key
   migrate         Migrate db (beta)
 ```
 
+### Secrets Encryption Commands
+
+Use these commands when Chronograf secret-at-rest encryption is enabled.
+
+##### Generate Secrets Master Key
+Generate a base64-encoded 32-byte key:
+
+```sh
+$ chronoctl gen-secrets-master-key
+```
+
+Write the generated key to a file (0600):
+
+```sh
+$ chronoctl gen-secrets-master-key --out ./chronograf-secrets.key
+```
+
+##### Rewrap Secrets Master Key
+Rotate the secrets master key by rewrapping the stored DEK:
+
+```sh
+$ chronoctl rewrap-secrets-master-key \
+    --bolt-path ./chronograf-v1.db \
+    --old-secrets-master-key-file ./old.key \
+    --new-secrets-master-key-file ./new.key
+```
+
+After successful rewrap, start Chronograf with the new key.
+
+##### Disable Secrets Encryption
+Disable secret encryption by decrypting persisted secrets to plaintext and
+removing the wrapped DEK:
+
+```sh
+$ chronoctl disable-secrets-encryption \
+    --bolt-path ./chronograf-v1.db \
+    --secrets-master-key-file ./current.key
+```
+
+After successful disable:
+- Chronograf no longer requires `--secrets-master-key` / `--secrets-master-key-file`
+- persisted secrets are plaintext again
+
+Important:
+- `rewrap-secrets-master-key` changes only master-key wrapping and does not re-encrypt secret records.
+- `disable-secrets-encryption` decrypts encrypted secrets and stores them as plaintext.
+
 
 ### Migrate
 

cmd/chronoctl/disable_secrets_encryption.go

@@ -0,0 +1,49 @@
+package main
+
+import (
+	"context"
+	"fmt"
+)
+
+func init() {
+	parser.AddCommand("disable-secrets-encryption",
+		"Disable secrets encryption and rewrite persisted secrets to plaintext.",
+		"Decrypt stored secrets in BoltDB and remove wrapped DEK. Requires current secrets master key.",
+		&disableSecretsEncryptionCommand{})
+}
+
+type disableSecretsEncryptionCommand struct {
+	BoltPath string `short:"b" long:"bolt-path" description:"Full path to boltDB file (e.g. './chronograf-v1.db')" env:"BOLT_PATH" default:"chronograf-v1.db"`
+
+	SecretsMasterKey     string `long:"secrets-master-key" description:"Current base64-encoded 32-byte secrets master key." env:"SECRETS_MASTER_KEY"`
+	SecretsMasterKeyFile string `long:"secrets-master-key-file" description:"Path to file containing current base64-encoded 32-byte secrets master key." env:"SECRETS_MASTER_KEY_FILE"`
+}
+
+func (c *disableSecretsEncryptionCommand) Execute(args []string) error {
+	key, err := loadCLISecretsMasterKey(c.SecretsMasterKey, c.SecretsMasterKeyFile, "current")
+	if err != nil {
+		errExit(err)
+	}
+
+	if err := validateExistingBoltPath(c.BoltPath); err != nil {
+		errExit(err)
+	}
+
+	store, err := NewBoltClient(c.BoltPath)
+	if err != nil {
+		return err
+	}
+	defer store.Close()
+
+	svc, err := NewService(store)
+	if err != nil {
+		return err
+	}
+
+	if err := svc.DisableSecretEncryption(context.Background(), key); err != nil {
+		errExit(err)
+	}
+
+	fmt.Println("Successfully disabled secrets encryption and removed wrapped DEK")
+	return nil
+}

cmd/chronoctl/gen_secrets_master_key.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"os"
+
+	flags "github.com/jessevdk/go-flags"
+)
+
+func init() {
+	parser.AddCommand("gen-secrets-master-key",
+		"Generate secrets master key.",
+		"Generate base64-encoded 32-byte key for Chronograf --secrets-master-key / --secrets-master-key-file.",
+		&genSecretsMasterKeyCommand{})
+}
+
+type genSecretsMasterKeyCommand struct {
+	Out flags.Filename `long:"out" description:"File to save the generated key (0600 permissions). If omitted, key is printed to stdout."`
+}
+
+func generateSecretsMasterKey() (string, error) {
+	raw := make([]byte, 32)
+	if _, err := rand.Read(raw); err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(raw), nil
+}
+
+func (c *genSecretsMasterKeyCommand) Execute(args []string) error {
+	key, err := generateSecretsMasterKey()
+	if err != nil {
+		errExit(err)
+	}
+
+	if c.Out == "" {
+		fmt.Println(key)
+		return nil
+	}
+
+	if _, err := os.Stat(string(c.Out)); err == nil {
+		errExit(errors.New("specify a non-existent file to write to"))
+	} else if !errors.Is(err, os.ErrNotExist) {
+		errExit(err)
+	}
+
+	if err := os.WriteFile(string(c.Out), []byte(key+"\n"), 0600); err != nil {
+		errExit(err)
+	}
+
+	fmt.Printf("Secrets master key generated and saved at %s\n", c.Out)
+	return nil
+}

cmd/chronoctl/main_test.go

@@ -1,6 +1,10 @@
 package main
 
 import (
+	"bytes"
+	"encoding/base64"
+	"os"
+	"path/filepath"
 	"testing"
 
 	flags "github.com/jessevdk/go-flags"
@@ -23,6 +27,18 @@ func TestChronoctlCommands(t *testing.T) {
 			args: []string{"gen-keypair", "-h"},
 			err:  false,
 		},
+		{
+			args: []string{"gen-secrets-master-key", "-h"},
+			err:  false,
+		},
+		{
+			args: []string{"disable-secrets-encryption", "-h"},
+			err:  false,
+		},
+		{
+			args: []string{"rewrap-secrets-master-key", "-h"},
+			err:  false,
+		},
 		{
 			args: []string{"list-users", "-h"},
 			err:  false,
@@ -48,3 +64,116 @@ func TestChronoctlCommands(t *testing.T) {
 		}
 	}
 }
+
+func TestLoadCLISecretsMasterKey(t *testing.T) {
+	validRaw := bytes.Repeat([]byte{0x11}, 32)
+	validB64 := base64.StdEncoding.EncodeToString(validRaw)
+
+	tests := []struct {
+		name     string
+		value    string
+		fileBody string
+		useFile  bool
+		wantErr  bool
+	}{
+		{
+			name:     "value and file both set",
+			value:    validB64,
+			fileBody: validB64,
+			useFile:  true,
+			wantErr:  true,
+		},
+		{
+			name:    "value and file both empty",
+			wantErr: true,
+		},
+		{
+			name:    "invalid base64 in value",
+			value:   "%%%not-base64%%%",
+			wantErr: true,
+		},
+		{
+			name:    "wrong decoded length",
+			value:   base64.StdEncoding.EncodeToString([]byte("short")),
+			wantErr: true,
+		},
+		{
+			name:    "valid value",
+			value:   validB64,
+			wantErr: false,
+		},
+		{
+			name:     "valid file",
+			fileBody: validB64 + "\n",
+			useFile:  true,
+			wantErr:  false,
+		},
+		{
+			name:     "invalid base64 file",
+			fileBody: "invalid@@@",
+			useFile:  true,
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var filePath string
+			if tt.useFile {
+				dir := t.TempDir()
+				filePath = filepath.Join(dir, "secrets.key")
+				if err := os.WriteFile(filePath, []byte(tt.fileBody), 0600); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			key, err := loadCLISecretsMasterKey(tt.value, filePath, "test")
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(key) != 32 {
+				t.Fatalf("unexpected key length: got %d, want 32", len(key))
+			}
+		})
+	}
+}
+
+func TestGenerateSecretsMasterKey(t *testing.T) {
+	key, err := generateSecretsMasterKey()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	raw, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		t.Fatalf("generated key is not valid base64: %v", err)
+	}
+	if len(raw) != 32 {
+		t.Fatalf("unexpected decoded key length: got %d, want 32", len(raw))
+	}
+}
+
+func TestValidateExistingBoltPath(t *testing.T) {
+	t.Run("missing path", func(t *testing.T) {
+		err := validateExistingBoltPath(filepath.Join(t.TempDir(), "missing.db"))
+		if err == nil {
+			t.Fatalf("expected error for missing path")
+		}
+	})
+
+	t.Run("existing path", func(t *testing.T) {
+		dir := t.TempDir()
+		path := filepath.Join(dir, "chronograf-v1.db")
+		if err := os.WriteFile(path, []byte{}, 0600); err != nil {
+			t.Fatal(err)
+		}
+		if err := validateExistingBoltPath(path); err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+	})
+}