Descriptors encryption

To prevent malicious use of descriptors stolen from api or db descriptor encryption feature can be enabled.

Note that all descriptors must have the same encryption hash (same encryption algorithm and encryption key) before service starts otherwise service will throw corresponding error.

Configuring encryption

Encryption can be enabled through the DESCRIPTOR_ENCRYPTION setting.
  • enabled - whether descriptors encryption is enabled or not.

  • algorithm - name of the encryption algorithm used.

  • params - encryption params to specify the encryption key source.

Supported algorithms: aes256-gcm

Encryption params contain the following fields:
  • source - name of encryption key source.

  • key - encryption key or credentials for receiving it

Supported source types: raw, vaultKV

For both raw, vaultKV sources key must be encoded in base64 string

If you use Hashicorp Vault Key/Value storage as your key source, key must contain the following fields:
  • url - url for receiving encryption key

  • token - authentication token

    {
        "enabled": true,
        "algorithm": "aes256-gcm",
        "params": {
            "source": "vaultKV",
            "key": {
                "url": "https://vault.example.com/v1/secret/data/encryption_key",
                "token": "s.XYZ12345"
            }
        }
    }
    

The contents of vault Key/Value storage are expected to be in the following format:

{
"key": "...",
"algorithm": "..."
}