privilegedescalation-engineer[bot]
67602fb279
- SECURITY.md: update to mention Renovate instead of Dependabot - README.md: update supply chain table - ADR 003: update mitigation to mention Renovate Closes PRI-389. Parent PRI-387. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
13 KiB
ADR 003: Client-Side Encryption
Status: Accepted
Date: 2026-02-11
Deciders: Development Team
Context
When building a Headlamp plugin for managing Sealed Secrets, we had to decide where encryption should occur:
- Server-side (in backend or Kubernetes cluster)
- Client-side (in browser)
- Hybrid (partial client, partial server)
Security Requirements
- Zero Trust: Plaintext secrets should never leave the user's machine
- Compliance: Must meet security standards for handling sensitive data
- Auditability: Users should be able to verify encryption happens locally
- Defense in Depth: Multiple layers of protection
Technical Constraints
- Headlamp Architecture: Browser-based UI communicating with Kubernetes API
- Sealed Secrets Design: Controller provides public key, accepts encrypted payloads
- Browser Capabilities: Modern browsers support Web Crypto API
- Network Security: Cannot assume HTTPS for all deployments
Decision
All encryption happens client-side in the browser.
Architecture
┌─────────────────────────────────────────────┐
│ User's Browser │
│ │
│ 1. User enters plaintext: "mysecret" │
│ │
│ 2. Plugin fetches public certificate │
│ GET /v1/cert.pem │
│ ← -----BEGIN CERTIFICATE----- │
│ │
│ 3. Plugin encrypts locally (RSA-OAEP) │
│ plaintext → encrypted (AES+RSA) │
│ │
│ 4. Plugin sends encrypted data │
│ POST /apis/bitnami.com/.../sealedsecrets│
│ → spec.encryptedData.password: "AgB..." │
│ │
│ ✅ Plaintext NEVER leaves browser │
└─────────────────────────────────────────────┘
│
│ Only encrypted data over network
▼
┌─────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ 5. Controller receives encrypted data │
│ │
│ 6. Controller decrypts server-side │
│ (has private key) │
│ │
│ 7. Creates plain Secret │
└─────────────────────────────────────────────┘
Implementation Details
Encryption Algorithm: RSA-OAEP with AES-256-GCM
export function encryptValue(
publicKey: PEMCertificate,
plaintext: PlaintextValue
): Result<EncryptedValue, string> {
try {
// 1. Parse PEM certificate
const cert = forge.pki.certificateFromPem(publicKey);
const pubKey = cert.publicKey as forge.pki.rsa.PublicKey;
// 2. Generate random AES key
const aesKey = forge.random.getBytesSync(32);
// 3. Encrypt plaintext with AES-256-GCM
const cipher = forge.cipher.createCipher('AES-GCM', aesKey);
cipher.start({ iv: forge.random.getBytesSync(12) });
cipher.update(forge.util.createBuffer(plaintext));
cipher.finish();
// 4. Encrypt AES key with RSA-OAEP
const encryptedKey = pubKey.encrypt(aesKey, 'RSA-OAEP');
// 5. Combine and encode
const encrypted = encryptedKey + cipher.output.getBytes() + cipher.mode.tag.getBytes();
const base64 = forge.util.encode64(encrypted);
return Ok(EncryptedValue(base64));
} catch (err) {
return Err(`Encryption failed: ${err.message}`);
}
}
Library: node-forge (pure JavaScript, no native dependencies)
Consequences
Positive
✅ Maximum Security: Plaintext never transmitted over network
// Plaintext only exists in browser memory
const plaintext = PlaintextValue(userInput);
const encrypted = encryptValue(cert, plaintext); // Encrypted locally
// Network only sees encrypted value
✅ Zero Trust: No trust required in network, proxy, or middleware
User → Browser (plaintext)
Browser → Encryption (client-side)
Encrypted → Network → Cluster
// Even compromised network sees only encrypted data
✅ Compliance: Meets security standards (SOC2, HIPAA, etc.)
- Data encrypted at source
- Plaintext never stored or transmitted
- Audit trail in browser console
✅ User Control: Users can audit encryption in browser DevTools
// In browser console:
// 1. See plaintext before encryption
// 2. See encryption happen
// 3. Verify encrypted output
// 4. Confirm no plaintext in network tab
✅ Works Offline: Encryption doesn't require server roundtrip
// Can prepare SealedSecrets offline
const cert = downloadedCertificate;
const encrypted = encryptValue(cert, plaintext);
// Apply later when online
✅ Headlamp Compatible: Uses standard Headlamp SDK patterns
import { apiFactory } from '@kinvolk/headlamp-plugin/lib';
// Just creates encrypted resources via Kubernetes API
Negative
⚠️ Bundle Size: Crypto library adds to bundle
- node-forge: ~200KB (gzipped: ~60KB)
- Total plugin: 359KB (gzipped: 98KB)
⚠️ Browser Requirement: Must support Web Crypto API
- Chrome 37+, Firefox 34+, Safari 11+, Edge 79+
- Cannot use in Node.js without polyfill
⚠️ CPU Intensive: RSA encryption is slow
- ~50-100ms for typical secret
- May lag on very old devices
⚠️ No Server Validation: Server cannot validate plaintext before encryption
- Must trust client to send valid data
- Server only sees encrypted data
Mitigation
-
Bundle optimization: Use tree-shaking to reduce size
// Only import needed forge modules import forge from 'node-forge/lib/forge'; import 'node-forge/lib/pki'; import 'node-forge/lib/cipher'; -
Browser polyfills: Not needed (forge is pure JS)
-
Client-side validation: Validate before encryption
const validation = isValidSecretValue(plaintext); if (validation.ok === false) { return Err(validation.error); }
Alternatives Considered
1. Server-Side Encryption
Approach: Send plaintext to backend, encrypt there, send to cluster
Browser → Backend (plaintext) → Encrypt → Kubernetes
Pros:
- Smaller client bundle (no crypto library)
- Can use faster server-side crypto (native OpenSSL)
- Server can validate plaintext
Cons:
- ❌ Plaintext over network - major security risk
- ❌ Requires HTTPS - cannot work in non-TLS environments
- ❌ Trust required - must trust backend, network, proxies
- ❌ Not Headlamp compatible - would need custom backend
- ❌ Compliance issues - plaintext in transit violates many standards
Rejected: Security risk unacceptable.
2. Hybrid Encryption
Approach: Browser encrypts with symmetric key, backend encrypts symmetric key
Browser → Encrypt with AES → Backend → Encrypt AES key with RSA → Kubernetes
Pros:
- Faster client-side (symmetric only)
- Backend does expensive RSA operation
Cons:
- ❌ Still requires backend
- ❌ Complex architecture
- ❌ Symmetric key over network (attack vector)
- ❌ Not compatible with Headlamp architecture
Rejected: Complexity without sufficient benefit.
3. Use kubeseal CLI Only
Approach: No browser encryption, users must use kubeseal command-line tool
$ echo -n "secret" | kubeseal --cert cert.pem > sealed.yaml
$ kubectl apply -f sealed.yaml
Pros:
- No browser crypto needed
- Proven tool (kubeseal)
- Simple
Cons:
- ❌ Poor UX - requires CLI installation, terminal access
- ❌ Not integrated - defeats purpose of Headlamp UI
- ❌ CI/CD only - not practical for interactive use
Rejected: Defeats the purpose of a Headlamp plugin.
4. Web Crypto API (native browser crypto)
Approach: Use native browser crypto instead of node-forge
const encrypted = await crypto.subtle.encrypt(
{ name: 'RSA-OAEP' },
publicKey,
plaintext
);
Pros:
- No crypto library needed
- Faster (native implementation)
- Zero bundle size impact
Cons:
- ❌ API complexity - harder to use than forge
- ❌ PEM parsing - no native PEM support, need manual parsing
- ❌ Compatibility - kubeseal uses specific padding/format
- ❌ Testing - harder to test (can't mock)
Rejected: Compatibility risk with Sealed Secrets controller. May revisit in future if we can guarantee identical output to kubeseal.
Implementation
Phase 1.0 (Initial - 2026-02-11)
Implemented client-side encryption:
src/lib/crypto.ts- Encryption functions- Uses node-forge library
- RSA-OAEP + AES-256-GCM
- Compatible with kubeseal CLI output
Phase 1.2 (Enhanced - 2026-02-11)
Added type safety:
- Branded types (
PlaintextValue,EncryptedValue) - Result types for error handling
- Prevents accidentally using plaintext
Security Features
✅ Encryption happens in browser ✅ Plaintext never in network requests ✅ Branded types prevent leaking plaintext ✅ Certificate validation before use ✅ Compatible with kubeseal format
Security Audit
Threat Model
| Threat | Mitigation |
|---|---|
| Man-in-the-middle | ✅ Plaintext never on network |
| Compromised proxy | ✅ Only sees encrypted data |
| Network sniffing | ✅ No plaintext to sniff |
| Browser XSS | ⚠️ Standard web security (CSP, etc.) |
| Headlamp compromise | ⚠️ Trust Headlamp like any desktop app |
| Malicious plugin | ⚠️ User must trust plugin source |
| Memory dumps | ⚠️ Plaintext in browser memory briefly |
Attack Vectors
XSS (Cross-Site Scripting):
- Risk: Malicious script could steal plaintext from memory
- Mitigation: Headlamp's Content Security Policy
- Not unique to client-side encryption
Supply Chain:
- Risk: Compromised node-forge dependency
- Mitigation: Package lock, Renovate, regular audits
- Same risk as any JavaScript dependency
Browser Extensions:
- Risk: Malicious extension could read browser memory
- Mitigation: User responsibility (same as password managers)
- Not unique to this plugin
Validation
Compatibility Testing
Verified encryption is compatible with kubeseal:
# Encrypt with plugin in browser
kubectl get sealedsecret my-secret -o jsonpath='{.spec.encryptedData.password}' | base64 -d > plugin-encrypted.bin
# Encrypt with kubeseal CLI
echo -n "mysecret" | kubeseal --raw --cert cert.pem --scope strict --name my-secret --namespace default > kubeseal-encrypted.bin
# Both decrypt to same plaintext ✅
# (ciphertexts differ due to random IV, but both valid)
Performance Testing
| Operation | Time | Notes |
|---|---|---|
| Fetch certificate | ~200ms | Network latency |
| Encrypt small secret | ~50ms | RSA-OAEP overhead |
| Encrypt 1KB secret | ~60ms | Minimal increase |
| Create SealedSecret | ~300ms | Kubernetes API latency |
Total user experience: ~600ms from submit to created (acceptable).
Future Considerations
1. Web Crypto API Migration
If we can guarantee identical output format:
- Remove node-forge dependency (-200KB bundle)
- Use native crypto.subtle API
- Faster performance
- Requires: Extensive compatibility testing
2. WebAssembly Crypto
For even faster encryption:
- Compile OpenSSL to WASM
- Same format as kubeseal (uses OpenSSL)
- Requires: WASM expertise, larger initial bundle
3. Hardware Security Modules
For enterprise users:
- Support YubiKey, TPM for key storage
- Requires: Web Authentication API integration
References
Related ADRs
- ADR 002: Branded Types - Type safety for plaintext vs encrypted
- ADR 001: Result Types - Error handling for encryption operations
Changelog
- 2026-02-11: Initial implementation
- 2026-02-11: Enhanced with branded types
- 2026-02-12: Documented in ADR