Descriptors encryption¶
To enhance security and prevent malicious use of descriptors they can be received encrypted.
Encrypted descriptors are received in the following format: <encrypted_descriptor><tag><nonce><hash>
encrypted_descriptor - encrypted descriptor
tag - data used from message authentication
nonce - encryption initialization vector
hash - hash sum of the encryption key and algorithm
Configuring encryption¶
- Encryption can be enabled through the DESCRIPTOR_ENCRYPTION setting.
enabled - whether descriptors encryption is enabled or not.
algorithm - name of the encryption algorithm used.
params - encryption params to specify the encryption key source.
Supported algorithms: aes256-gcm
- Encryption params contain the following fields:
source - name of encryption key source.
key - encryption key or credentials for receiving it
Supported source types: raw, vaultKV
For both raw, vaultKV sources key must be encoded in base64 string
- If you use Hashicorp Vault Key/Value storage as your key source, key must contain the following fields:
url - url for receiving encryption key
token - authentication token
{ "enabled": true, "algorithm": "aes256-gcm", "params": { "source": "vaultKV", "key": { "url": "https://vault.example.com/v1/secret/data/encryption_key", "token": "s.XYZ12345" } } }
The contents of vault Key/Value storage are expected to be in the following format:
{ "key": "...", "algorithm": "..." }