@@ -33,47 +33,36 @@ represent best practices.
3333
3434 Use the same Google credentials as you used in the previous steps.
3535
36- 1. Create a Google Cloud KMS key ring and two signing keys :
36+ 1. Change directory into this repository :
3737
38- ` ` ` sh
39- gcloud kms keyrings create " signing"
40- --location " us"
41-
42- gcloud kms keys create " token-signing"
43- --location " us"
44- --keyring " signing"
45- --purpose " asymmetric-signing"
46- --default-algorithm " ec-sign-p256-sha256"
47-
48- gcloud kms keys create " certificate-signing"
49- --location " us"
50- --keyring " signing"
51- --purpose " asymmetric-signing"
52- --default-algorithm " ec-sign-p256-sha256"
38+ ` ` ` text
39+ cd /path/to/exposure-notifications-verification-server
5340 ` ` `
5441
55- To get the resource names to the keys (for use below):
56-
57- ` ` ` sh
58- gcloud kms keys describe " token-signing"
59- --location " us"
60- --keyring " signing"
42+ 1. Bootstrap the local key management system:
6143
62- gcloud kms keys describe " certificate-signing"
63- --location " us"
64- --keyring " signing"
44+ ` ` ` text
45+ go run ./tools/gen-keys
6546 ` ` `
6647
48+ This will output some environment variables. ** Save these environment
49+ variables for the next step! **
50+
51+ The default development setup uses a local, on-disk key manager to persist
52+ across server restarts. The production installation recommends a hosted key
53+ management service like Google Cloud KMS. It is possible to use Google Cloud
54+ KMS locally by following the instructions in the production setup guide.
55+
67561. Create a ` .env`
6857 development since you can ` source`
6958 these values again.
7059
7160 ` ` ` sh
72- # Create a file named .env with these contents
73- export PROJECT_ID=" YOUR_PROJECT_ID " # TODO: replace
61+ # Google project configuration.
62+ export PROJECT_ID=" TODO"
7463 export GOOGLE_CLOUD_PROJECT=" ${PROJECT_ID} "
7564
76- # Get these values from the firebase console
65+ # Get these values from the firebase console.
7766 export FIREBASE_API_KEY=" TODO"
7867 export FIREBASE_PROJECT_ID=" ${PROJECT_ID} "
7968 export FIREBASE_MESSAGE_SENDER_ID=" TODO"
@@ -85,35 +74,58 @@ represent best practices.
8574 export FIREBASE_PRIVACY_POLICY_URL=" TODO"
8675 export FIREBASE_TERMS_OF_SERVICE_URL=" TODO"
8776
88- # Populate these with the resource IDs from above. These values will be of
89- # the format:
90- #
91- # projects/ID/locations/us/keyRings/signing/cryptoKeys/token-signing/cryptoKeyVersions/1Z
92- export TOKEN_SIGNING_KEY="TODO"
93- export CERTIFICATE_SIGNING_KEY="TODO"
94-
95- # Disable local observability
77+ # Disable local observability.
9678 export OBSERVABILITY_EXPORTER=" NOOP"
9779
98- # Configure a CSRF auth key. Create your own with ` ` .
80+ # Configure CSRF for preventing request forgery. Create your own with:
81+ #
82+ # openssl rand -base64 32
83+ #
9984 export CSRF_AUTH_KEY=" RcCNhTkS9tSDMSGcl4UCa1FUg9GmctkJpdI+eqZ+3v4="
10085
10186 # Configure cookie encryption, the first is 64 bytes, the second is 32.
102- # Create your own with `openssl rand -base64 NUM` where NUM is 32 or 64
87+ # Create your own values with:
88+ #
89+ # openssl rand -base64 NUM
90+ #
91+ # where NUM is 32 or 64, respectively.
10392 export COOKIE_KEYS=" ARLaFwAqBGIkm5pLjAveJuahtCnX2NLoAUz2kCZKrScUaUkEaxHSvJLVYb5yAPCc441Cho5n5yp8jdEmy6hyig==,RLjcRZeqc07s6dh3OK4CM1POjHDZHC+usNU1w/XNTjM="
10493
94+ # Configure certificate key management. The CERTIFICATE_SIGNING_KEY should
95+ # be the value output in the previous step.
96+ export CERTIFICATE_KEY_MANAGER=" FILESYSTEM"
97+ export CERTIFICATE_KEY_FILESYSTEM_ROOT=" $( pwd) "
98+ export CERTIFICATE_SIGNING_KEY=" TODO" # (e.g. "/system/certificate-signing/1122334455")
99+
100+ # Configure token key management. The TOKEN_SIGNING_KEY should be the value
101+ # output in the previous step.
102+ export TOKEN_KEY_MANAGER="FILESYSTEM"
103+ export TOKEN_KEY_FILESYSTEM_ROOT="$(pwd)/local"
104+ export TOKEN_SIGNING_KEY="TODO" # (e.g. "/system/token-signing/1122334455")
105+
106+ # Configure the database key manager. The CERTIFICATE_SIGNING_KEYRING and
107+ # DB_ENCRYPTION_KEY should be the values output in the previous step.
108+ export DB_KEY_MANAGER="FILESYSTEM"
109+ export DB_KEY_FILESYSTEM_ROOT="$(pwd)/local"
110+ export CERTIFICATE_SIGNING_KEYRING="TODO" # (e.g. "/realm")
111+ export DB_ENCRYPTION_KEY="TODO" # (e.g. "/system/database-encryption")
112+
105113 # Use an in-memory key manager for encrypting values in the database. Create
106114 # your own encryption key with ` ` .
107115 export KEY_MANAGER=" IN_MEMORY"
108116 export DB_ENCRYPTION_KEY=" O04ZjG4WuoceRd0k2pTqDN0r8omr6sbFL0U3T5b12Lo="
109117
110- # Database HMAC keys - these should be at least 64 bytes, preferably 128
111- # Create your own with `openssl rand -base64 128`.
118+ # Database HMAC keys - these should be at least 64 bytes, preferably 128.
119+ # Create your own with:
120+ #
121+ # openssl rand -base64 128
122+ #
112123 export DB_APIKEY_DATABASE_KEY=" RlV/RBEt0lDeK54r8U9Zi7EDFZid3fiKM2HFgjR9sZGMb+duuQomjGdNKYnzrNyKgeTBcc1V4qVs6fBrN6IFTLbgkp/u52MGhSooAQI4EuZ6JFuyxQBeu54Ia3mihF111BMcCWpHDg2MAh8k8f669plEQaqoQFg3GThP/Lx1OY0="
113124 export DB_APIKEY_SIGNATURE_KEY=" HFeglmupbtv/I2X04OQRl1V7mcvfAXuv8XtmIFYV6aYsPuwQVFtXDlfFrjouYT2Z6kYln7B90RcutHJNjpPDRkyBQ28HtWmid3dr0tpJ1KiiK5NGG7JS9mU8fCvEYklw5RV+1f8qN13nWzHpW8/RQw9rR/vQGy90yL5/aydBuVA="
114125 export DB_VERIFICATION_CODE_DATABASE_KEY=" YEN4+tnuf1DzQPryRzrPVilqT0Q2TO8IIg3C8prvXWGAaoABOWACl79hS40OneuaU8GsQHwhJ13wM2A5ooyOq+uqxCjrqVJZZXPU5xzl/6USEYAp4z2b0ZYrfkx2SRk1o9HfFi1RMqpaBf1TRIbsNOK9hNRG3nS2It49y6mR1ho="
115126
116- # Enable dev mode
127+ # Enable dev mode. Do not enable dev mode or database dev mode in production
128+ # environments.
117129 export DEV_MODE=1
118130 export DB_DEBUG=1
119131 ` ` `
0 commit comments