sourcenetwork · nasdf · Jun 27, 2024 · Jun 26, 2024 · Jun 26, 2024 · Jun 26, 2024
diff --git a/cli/keyring.go b/cli/keyring.go
@@ -19,7 +19,21 @@ func MakeKeyringCommand() *cobra.Command {
 		Use:   "keyring",
 		Short: "Manage DefraDB private keys",
 		Long: `Manage DefraDB private keys.
-Generate, import, and export private keys.`,
+Generate, import, and export private keys.
+
+The following keys are loaded from the keyring on start:
+	peer-key: Ed25519 private key (required)
+	encryption-key: AES-128, AES-192, or AES-256 key (optional)
+
+To randomly generate the required keys, run the following command:
+	defradb keyring generate
+
+To import externally generated keys, run the following command:
+	defradb keyring import <name> <private-key-hex>
+
+To learn more about the available options:
+	defradb keyring --help
+`,
 	}
 	return cmd
 }
diff --git a/cli/keyring_generate.go b/cli/keyring_generate.go
@@ -17,12 +17,14 @@
 )
 
 func MakeKeyringGenerateCommand() *cobra.Command {
-	var noEncryption bool
+	var noEncryptionKey bool
+	var noPeerKey bool
 	var cmd = &cobra.Command{
 		Use:   "generate",
 		Short: "Generate private keys",
 		Long: `Generate private keys.
 Randomly generate and store private keys in the keyring.
+By default peer and encryption keys will be generated.
 
 WARNING: This will overwrite existing keys in the keyring.
 
@@ -32,15 +34,17 @@
 Example: with no encryption key
   defradb keyring generate --no-encryption-key
 
+Example: with no peer key
+  defradb keyring generate --no-peer-key
+
 Example: with system keyring
   defradb keyring generate --keyring-backend system`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			keyring, err := openKeyring(cmd)
 			if err != nil {
 				return err
 			}
-			if !noEncryption {
-				// generate optional encryption key
+			if !noEncryptionKey {
 				encryptionKey, err := crypto.GenerateAES256()
 				if err != nil {
 					return err
@@ -49,15 +53,25 @@
 				if err != nil {
 					return err
 				}
+				log.Info("generated encryption key")
 			}
-			peerKey, err := crypto.GenerateEd25519()
-			if err != nil {
-				return err
+			if !noPeerKey {
+				peerKey, err := crypto.GenerateEd25519()
+				if err != nil {
+					return err
+				}
+				err = keyring.Set(peerKeyName, peerKey)
+				if err != nil {
+					return err
+				}
+				log.Info("generated peer key")
 			}
-			return keyring.Set(peerKeyName, peerKey)
+			return nil
 		},
 	}
-	cmd.Flags().BoolVar(&noEncryption, "no-encryption-key", false,
-		"Skip generating an encryption. Encryption at rest will be disabled")
+	cmd.Flags().BoolVar(&noEncryptionKey, "no-encryption-key", false,
+		"Skip generating an encryption key. Encryption at rest will be disabled")
+	cmd.Flags().BoolVar(&noPeerKey, "no-peer-key", false,
+		"Skip generating a peer key.")
 	return cmd
 }
diff --git a/cli/keyring_generate_test.go b/cli/keyring_generate_test.go
@@ -50,3 +50,19 @@ func TestKeyringGenerateNoEncryptionKey(t *testing.T) {
 	assert.NoFileExists(t, filepath.Join(rootdir, "keys", encryptionKeyName))
 	assert.FileExists(t, filepath.Join(rootdir, "keys", peerKeyName))
 }
+
+func TestKeyringGenerateNoPeerKey(t *testing.T) {
+	rootdir := t.TempDir()
+	readPassword = func(_ *cobra.Command, _ string) ([]byte, error) {
+		return []byte("secret"), nil
+	}
+
+	cmd := NewDefraCommand()
+	cmd.SetArgs([]string{"keyring", "generate", "--no-peer-key", "--rootdir", rootdir})
+
+	err := cmd.Execute()
+	require.NoError(t, err)
+
+	assert.FileExists(t, filepath.Join(rootdir, "keys", encryptionKeyName))
+	assert.NoFileExists(t, filepath.Join(rootdir, "keys", peerKeyName))
+}
diff --git a/cli/utils.go b/cli/utils.go
@@ -181,9 +181,13 @@
 // openKeyring opens the keyring for the current environment.
 func openKeyring(cmd *cobra.Command) (keyring.Keyring, error) {
 	cfg := mustGetContextConfig(cmd)
-	if cfg.Get("keyring.backend") == "system" {
+	backend := cfg.Get("keyring.backend")
+	if backend == "system" {
 		return keyring.OpenSystemKeyring(cfg.GetString("keyring.namespace")), nil
 	}
+	if backend != "file" {
+		log.Info("keyring defaulted to file backend")
+	}
 	path := cfg.GetString("keyring.path")
 	if err := os.MkdirAll(path, 0755); err != nil {
 		return nil, err

diff --git a/docs/website/references/cli/defradb_keyring.md b/docs/website/references/cli/defradb_keyring.md
@@ -7,6 +7,20 @@ Manage DefraDB private keys
 Manage DefraDB private keys.
 Generate, import, and export private keys.
 
+The following keys are loaded from the keyring on start:
+	peer-key: Ed25519 private key (required)
+	encryption-key: AES-128, AES-192, or AES-256 key (optional)
+
+To randomly generate the required keys, run the following command:
+	defradb keyring generate
+
+To import externally generated keys, run the following command:
+	defradb keyring import <name> <private-key-hex>
+
+To learn more about the available options:
+	defradb keyring --help
+
+
 ### Options
 
 ```

diff --git a/docs/website/references/cli/defradb_keyring_generate.md b/docs/website/references/cli/defradb_keyring_generate.md
@@ -6,6 +6,7 @@ Generate private keys
 
 Generate private keys.
 Randomly generate and store private keys in the keyring.
+By default peer and encryption keys will be generated.
 
 WARNING: This will overwrite existing keys in the keyring.
 
@@ -15,6 +16,9 @@ Example:
 Example: with no encryption key
   defradb keyring generate --no-encryption-key
 
+Example: with no peer key
+  defradb keyring generate --no-peer-key
+
 Example: with system keyring
   defradb keyring generate --keyring-backend system
 
@@ -26,7 +30,8 @@ defradb keyring generate [flags]
 
 ```
   -h, --help                help for generate
-      --no-encryption-key   Skip generating an encryption. Encryption at rest will be disabled
+      --no-encryption-key   Skip generating an encryption key. Encryption at rest will be disabled
+      --no-peer-key         Skip generating a peer key.
 ```
 
 ### Options inherited from parent commands