--encryption key-file=value
. The key size must be 16, 24, or
32 bytes long, and the key size determines the corresponding block size for AES
encryption (AES-128, AES-192, and AES-256, respectively).
You can use the following command to create the encryption key file (set count
to the desired key size):
LC_CTYPE=C; tr -dc 'a-zA-Z0-9' < /dev/urandom | dd bs=1 count=32 of=enc_key_file
.
To view the key use cat enc_key_file
. --vault
superflagโs options to
enable encryption, as
explained below.
--encryption key-file
option to each of the Alphas.
Once an Alpha has encryption enabled, the encryption key must be provided in
order to start the Alpha server. If the Alpha server restarts, the
--encryption key-file
option must be set along with the key to restart
successfully.
http://fqdn[ip]:port
.
secret/data/dgraph/alpha
:
secret/data/dgraph/alpha
:
role_id
generated from the previous step, create a corresponding
secret_id
, and copy the role_id
and secret_id
over to local files, like
./dgraph/vault/role_id
and ./dgraph/vault/secret_id
, thatโs used by
Dgraph Alpha nodes.
enc-field
option can be defined using enc-format
with the values base64
(default) or raw
.--encryption key-file
flag or the --vault
superflag with appropriate
superflag options to each of the Dgraph Alpha nodes.
After an Alpha node has encryption enabled, you must provide the encryption key
to start the Alpha server. If the Alpha server restarts, the
--encryption key-file
or the --vault
superflagโs options must be set along
with the key to restart successfully.
--encryption key-file
option (or one used
in Vault KV store) doesnโt change automatically. The master encryption key
encrypts underlying data keys which are changed on a regular basis
automatically (more info about this is covered on the encryption-at-rest
blog post).
Changing the existing key to a new one is called key rotation. You can rotate
the master encryption key by using the badger rotate
command on both p and w
directories for each Alpha. To maintain availability in HA cluster
configurations, you can do this rotate the key one Alpha at a time in a rolling
manner.
Youโll need both the current key and the new key in two different files. Specify
the directory you rotate (โpโ or โwโ) for the --dir
flag, the old key for the
--old-key-path
flag, and the new key with the --new-key-path
flag.
new_enc_key_file
key file to use the new
key.