-
Notifications
You must be signed in to change notification settings - Fork 7
Locally encrypted secret files
By default, T-Vault integration is disabled, and qAPI uses a locally stored, AES encrypted zip file to store the secret files with database credentials. To do this, you will need a software that can zip and encrypt files, such as 7-Zip.
Start by making a new folder, which the name matches the query config file. (This mimics the safe name in terms of T-vault).
Example: There is a query config file named 'teamA.json' , a folder named 'teamA' should be made. Here, you will create a txt file, each for however many environments you may choose. (This mimics the folders within safes in terms of T-Vault).
Example: If you want to have a database for dev and one for prod, you will make 2 txt files in this folder, 'dev.txt' and prod.txt' .
In each txt file, you can enter your database credentials needed for connection. Below are the fields that should be entered, depending on the database.
For Oracle and SQLServer, user and password are values used to access the database, and the url value is the jdbc url used in connections, removing the 'jdbc:' part from the beginning of the url.
oracle_user=
oracle_password=
oracle_url=
sqlserver_user=
sqlserver_password=
sqlserver_url=
For cassandra, user and password are values used to access the database. Host is the database host url, and keyspace is the cassandra keyspace.
cassandra_user= //database username
cassandra_password= //database password
cassandra_host= //cassandra host
cassandra_keyspace= //cassandra keyspace
After this is done, you can select all the folders you made, and zip them with AES encryption.
Example when using 7-Zip: You have two folders named 'teamA' and 'teamB' , you can select both of them, right click -> 7-Zip -> Add to archive. Then, save the zip as 'secrets' ,select zip for archive format, and on the lower right side, type in a password for your encryption, and make sure to select AES-256 for the encryption method, NOT ZipCrypto. You can now place the encrypted secrets file in your resources folder. And make sure to pass in the password you selected in your application.yml configuration, under application -> secretManagement -> encryptionPassword .