The SGC supports decryption of secrets, such as SNMP USM user passphrases. This allows for these secrets to be supplied in an encrypted form, and the SGC will decrypt them as needed at runtime.

Note Secrets may still be supplied in plaintext format, and the SGC does not automatically migrate these to encrypted form. If you require secrets to be encrypted, you must supply them in the encrypted form.

The SGC supports runtime rotation of the decryption key.

Using decryption in a new cluster

To use decryption in a new cluster:

  • Generate an RSA key pair and store the public and private keys safely.

  • Before starting the SGCs, copy the private key to each node and place it in the $SGC_HOME/config/secrets/ directory.

  • After starting the SGC, use the display-info-secrets CLI command to verify that the expected secrets have been loaded.

  • Supply secrets in the form secret:<encoded_secret> when configuring the SGC. See Formatting secrets for more information on formatting secrets.

Tip The SGC supports using multiple decryption keys, so you can have more than one key in the $SGC_HOME/config/secrets/ directory.

Using decryption in an existing cluster

Decryption can be enabled on a running cluster, for example, following an upgrade, as follows:

  • Verify that all nodes in the cluster have been updated to a version that supports secrets decryption.

  • Generate an RSA key pair, and store both the private and public keys safely.

  • On every node in the cluster:

    • Copy the private key to $SGC_HOME/config/secrets/<your_new_key_name>.pem.

    • Use the SGC CLI to reload the keys: reload-secrets

    • Use the display-info-secrets CLI command to verify that the expected secrets have been loaded.

  • On only one node in the cluster, use the CLI to update all configuration that uses secrets to use the new encrypted values. For example, modify-usm-user: oname=my_user, authPassPhrase=secret:newBase64EncodedEncryptedPassword

See Formatting secrets for how to format secrets.

Rotating the decryption key

To rotate the decryption key(s):

  • Generate a new RSA key pair and store both the private and public keys safely.

  • Regenerate the base64 encoded encrypted secrets using the new public key.

  • On every node in the cluster:

    • Copy the private key to $SGC_HOME/config/secrets/<your_new_key_name>.pem. Do not remove or overwrite the existing private key at this point.

    • Use the SGC CLI to reload the private keys: reload-secrets The SGC will now be running with both the old and new keys.

    • Use the display-info-secrets CLI command to verify that the expected secrets have been loaded.

  • On only one node, use the CLI to update all configuration that uses secrets to use the new encrypted values. For example, modify-usm-user: oname=my_user, authPassPhrase=secret:newBase64EncodedEncryptedPassword

  • Wait 30s for the configuration to propagate to all nodes in the cluster.

  • Then, on every node in the cluster:

    • Remove the old private key from the $SGC_HOME/config/secrets/ directory. For example: rm $SGC_HOME/config/secrets/<your_old_key_name>.pem

    • Use the SGC CLI to reload the private keys: reload-secrets

    • Use the display-info-secrets CLI command to verify that the expected secrets have been loaded.

How to generate an RSA keypair

Generate a private key:

openssl genrsa -out private_key.pem 2048

Then extract the public key from it:

openssl rsa -in private_key.pem -pubout -out public_key.pem

Formatting secrets

Secrets must be supplied to the SGC in the correct form:

secret:<base64EncodedEncryptedSecret>

The general process to create a base 64 encoded encrypted secret is:

  • Encrypt the secret using the RSA public key

  • Base64 encode the encrypted secret

  • Prefix the base 64 encoded encrypted secret with secret:

This can be performed in a single command using the openssl and base64 command line applications:

echo "secret:$(echo -n '<secret>' | openssl pkeyutl -encrypt -pubin -inkey <public_key.pem>| base64 -w 0)"

Replace <secret> with the secret to be encrypted, and <public_key.pem> with the path to the RSA public key.

For example, to encrypt abcd1234 using the RSA public key stored in mykey.pem:

me@mypc:~/testing/secrets/public$  echo "secret:$(echo -n 'abcd1234' | openssl pkeyutl -encrypt -pubin -inkey mykey.pem | base64 -w 0)"
secret:OlRmd69+gIou+Mj91+X2nx8qageiyeaizBtRMyPBKEWKWH1564PVRg7fHr+HDnUVfhjNgiBiF3xzbQ4Tdt1B0DBfU19fw3Zpwwz+faCiNJjfAh4lf+4lGcny7sVQxJdD41aDglHxrFSI6xFkACjEiG1E4qamX7HgTbWyRYNnZYmyHBuOZY0b28nZbUJHShmQtTbw/YlZNhpou2vqh6ChYAKO5KPoHK4BeWp0oJt6mfAghdzmGIIwe4YqEWesZyCxVf8nu3l4UaquMJ44FQbUcwuwu2vuCxD4eJljfhRUGvJb+ybvEQeyq1wMHifdixQ90E4Dc1ljeZ0ayZGdjDcElA==
Tip Prefixing the echo command with a space will prevent the command (and password) from being stored in the shell history.
Previous page Next page