Skip to main content
Version: 7.14

Config File Encryption

danger

This feature is not yet released

Configuring the NetObserv collectors to encrypt their config files.

Overview

All collectors can be configured to securely encrypt their config files using industry standard AGE encryption.

NetObserv Flow, NetObserv SNMP, and NetObserv SNMP Trap use the below environment variables to configure the encryption of the config file.

Encryption is not enabled by default. If you do enable it, all the other settings are defaulted such that new keys will be created (or read if they already exist), with an unencrypted private key, and the config file will be encrypted in place.

So if you're happy with the defaults, your NetObserv Flow command line may only need to add EF_CONFIG_ENCRYPT_ENABLE=true to enable encryption:

EF_CONFIG_ENCRYPT_ENABLE=true \
flowcoll --config=/etc/elastiflow/flowcoll/flowcoll.yml

If encryption is enabled, the Azure vnet config file will also be encrypted in place, using the same key.

The public and private key files can be shared between collectors/functions, that is, you can use the same keys for snmp device file encryption and for snmp trap credential encryption.

If you configure config file encryption, you will need to use the same configuration when/if you generate a support bundle. Assuming your config file is under the --support-bundle-config-dir tree, it will be decrypted in the support bundle.

caution

Note that unlike other collector configuration options (which can be specified in the environment or in a config file), the below settings must be specified directly and only in the environment, since they govern the encryption of the config file itself.

danger

Just as with any encryption, the private key and its password must be kept secure. If you lose either of them, you will not be able to decrypt the config file.

Please make sure you have a copy of the private key, and we recommend that you also have a copy of the config file in plaintext (unencrypted) in a secure location.

EF_CONFIG_ENCRYPT_ENABLE

Specifies whether the config file will be encrypted.

  • Valid Values
    • true, false
  • Default
    • false

EF_CONFIG_ENCRYPT_CREATE

If config file encryption is enabled (EF_CONFIG_ENCRYPT_ENABLE is true) this setting specifies that a a public/private key pair will automatically be created if one does not already exist, stored in the file paths configured below. If the key files already exist (e.g., you created your own keys and encrypted the config file yourself, or on subsequent runs of NetObserv Flow), this setting has no effect; they will not be regenerated or overwritten.

  • Valid Values
    • true, false
  • Default
    • true

EF_CONFIG_ENCRYPT_TYPE

If config file encryption is enabled (EF_CONFIG_ENCRYPT_ENABLE is true) this setting specifies the type of encryption manager the user wants to use. The two options are sops and standard. sops will encrypt the configuration values and comments of the configuration file, leaving the file structure intact. standard will simply encrypt the entire configuration file using AGE encryption.

  • Valid Values
    • sops, standard
  • Default
    • standard
caution

The below directories (/etc/elastiflow/flowcoll/.age, et al) must already exist. NetObserv Flow will not create them for you.

EF_CONFIG_ENCRYPT_PRIVATE_KEY_FILE_PATH

Sets the filepath location of the private key file. If used in conjunction with EF_CONFIG_ENCRYPT_CREATE, then the private key used in the keystore will be generated at this location.

  • The default depends on the product being used:
    • /etc/elastiflow/flowcoll/.age/key.age
    • or /etc/elastiflow/snmpcoll/.age/key.age
    • or /etc/elastiflow/trapcoll/.age/key.age

EF_CONFIG_ENCRYPT_PUBLIC_KEY_FILE_PATH

Sets the filepath location of the public key file. If used in conjunction with EF_CONFIG_ENCRYPT_CREATE, then the public key used in the keystore will be generated at this location.

  • The default depends on the product being used:
    • /etc/elastiflow/flowcoll/.age/public-age-keys.txt
    • or /etc/elastiflow/snmpcoll/.age/public-age-keys.txt
    • or /etc/elastiflow/trapcoll/.age/public-age-keys.txt

EF_CONFIG_ENCRYPT_PASSWORD

The file specified in EF_CONFIG_ENCRYPT_PRIVATE_KEY_FILE_PATH can itself be encrypted for added security. (This is similar to using a passphrase on your ssh private key.) If used in conjunction with EF_CONFIG_ENCRYPT_CREATE, then the keystore will be configured with a password protected private key, and the same password must be provided both to decrypt the file and to run NetObserv Flow (et al).

  • Default
    • none

EF_CONFIG_ENCRYPT_PUBLIC_KEY

This setting can be used in place of EF_CONFIG_ENCRYPT_PUBLIC_KEY_FILE_PATH to directly specify the public key. Cannot be used in conjunction with EF_CONFIG_ENCRYPT_CREATE.

  • Default
    • none
  • Example
    • age164x50zgnmcesqglr25vr9ypje7lx3tkad4vwavcjpuh083lug9tqku8s74