Kek in an isolated buffer to ensure it isnt mutated

narval-xyz · Mar 4, 2024 · 162a982 · 162a982
1 parent da72887
commit 162a982
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/apps/policy-engine/src/encryption/core/encryption.service.ts b/apps/policy-engine/src/encryption/core/encryption.service.ts
@@ -83,10 +83,14 @@ export class EncryptionService implements OnApplicationBootstrap {
   }
 
   private getKeyEncryptionKeyring(kek: Buffer) {
+    // Allocate a new isolated buffer to ensure we don't manipulate the kek
+    const isolatedKek = Buffer.alloc(kek.length)
+    kek.copy(isolatedKek, 0, 0, kek.length)
+
     const keyring = new RawAesKeyringNode({
       keyName: 'armory.engine.kek',
       keyNamespace,
-      unencryptedMasterKey: kek,
+      unencryptedMasterKey: isolatedKek,
       wrappingSuite
     })