-
Notifications
You must be signed in to change notification settings - Fork 108
/
bbs-encryption-keys.html.md.erb
110 lines (87 loc) · 3.22 KB
/
bbs-encryption-keys.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
title: Bulletin Board System (BBS) data store encryption
owner: Diego
---
You must configure Diego Release with a set of encryption keys to encrypt data in the BBS data store. Learn how to configure and
rotate encryption keys.
The BBS Data Store encrypts all stored data. Diego automatically encrypts or re-encrypts all of the stored data using the active key on
boot. This ensures you can rotate out a key without manually rewriting all of the records.
## <a id="configuring-keys"></a> Configuring encryption keys
Diego uses multiple keys for decryption while allowing only one for encryption.
To configure encryption, set the `diego.bbs.encryption_keys` and `diego.bbs.active_key_label` properties.
Replace the placeholders in the following manifest with values appropriate for your deployment.
```yaml
properties:
diego:
bbs:
active_key_label: KEY-LABEL-NAME
encryption_keys:
- label: 'KEY-LABEL-NAME'
passphrase: 'MY-PASSPHRASE'
```
In the following example, you configure two encryption keys and select one of them to be the active key. The active key is
used for encryption while all configured keys are used for decryption.
```yaml
properties:
diego:
bbs:
active_key_label: key-2017-10
encryption_keys:
- label: 'key-2017-10'
passphrase: 'my september passphrase'
- label: 'key-2017-09'
passphrase: 'my august passphrase'
```
### Key label restrictions
Key labels have the following restrictions:
* 127 character limit
* Must not include a `:` (colon) character
Passphrases have no enforced character limit.
## <a id="rotating-keys"></a> Rotating encryption keys
You can rotate encryption keys without downtime by following a two-deployment procedure.
All the records are re-encrypted with the new active key, using the old key for only decryption.
After the decryption is successful, you can remove the old key.
The following example rotates `key-2017-09` to `key-2017-10`.
Given the following starting manifest, use this procedure to rotate your encryption keys:
<pre>
<code>
properties:
diego:
bbs:
active\_key\_label: key-2017-09
encryption_keys:
- label: 'key-2017-09'
passphrase: 'my september passphrase'
</code>
</pre>
1. Add the new encryption key `key-2017-10` and set it as the active key.
<pre>
<code>
properties:
diego:
bbs:
active\_key\_label: key-2017-10
encryption_keys:
- label: 'key-2017-09'
passphrase: 'my september passphrase'
- label: 'key-2017-10'
passphrase: 'my october passphrase'
</code>
</pre>
1. Redeploy Diego release.
1. If the first deployment is successful, update the manifest to remove the old key `key-2017-09`.
<pre>
<code>
properties:
diego:
bbs:
active\_key\_label: key-2017-10
encryption_keys:
- label: 'key-2017-10'
passphrase: 'my october passphrase'
</code>
</pre>
1. Redeploy the Diego release.
After the second deployment is complete, the encryption keys are rotated.
You must complete the second deployment to remove the old key. If not removed, you can continue to
decrypt information from the BBS data store using the old key.