Configuring encryption support for domain and resource property storage

You can now configure encryption in bpocore to store domain and resource properties in encrypted form within the database. This helps to protect against credential disclosure in backup snapshots stored off-site. This feature is also known as encryption-at-rest. Only the system administrator can configure this capability.

The following caveats exist:

  • Differences against a resource property are not stored in encrypted form, so if an RA or service plan reports an observed value that differs from the configured value, or if the user patches the resource to change an obfuscated property, the observed value shows up in the differences as clear text.

  • You cannot mix the obfuscate access modifier with the full-text access modifier.

  • The obfuscate access modifier applies to strings only. The system ignores boolean, numbers, and integers. It is supported for a string within an object. It is also supported for an array of strings – in this case, the obfuscate access modifier is specified at the array level.

  • Encryption is not retroactive. If you upgrade Blue Planet Orchestration, you must rotate all passwords you wish to encrypt on disk. You must invalidate the old passwords since they are present in backup snapshots in plain text.

  • If the encryption key is lost, any encrypted, obfuscated data is also lost. Reads of the lost fields return an empty string.

To configure encryption support before you deploy the Orchestration solution:

  1. Create a key /etc/bp2/bpocore/private/keys file that is owned and readable only by root:

    # mkdir /etc/bp2/bpocore/private
# chmod urwx /etc/bp2/bpocore/private
# python2.7
>>> import os, base64
>>> key = base64.urlsafe_b64encode(open('/dev/urandom', 'rb').read(32))
>>> os.umask(0o077)
>>> open('/etc/bp2/bpocore/private/keys', 'w').write(key)
>>> exit()

  2. If this is a multi-host Blue Planet site, synchronize this key to the other hosts:

    # bp2-site sync-site-config

  3. Back up this key file in a secure location. It is not included in backup snapshots generated by the Blue Planet platform. Data is lost if the key is not available when restoring a backup snapshot.

You can now start or restart the Orchestrate solution.

results matching ""

    No results matching ""