You must configure Diego Release with a set of encryption keys to encrypt data in the BBS data store. Learn how to configure and rotate encryption keys.
The BBS Data Store encrypts all stored data. Diego automatically encrypts or re-encrypts all of the stored data using the active key on boot. This ensures you can rotate out a key without manually rewriting all of the records.
Diego uses multiple keys for decryption while allowing only one for encryption.
To configure encryption, set the diego.bbs.encryption_keys
and diego.bbs.active_key_label
properties.
Replace the placeholders in the following manifest with values appropriate for your deployment.
properties:
diego:
bbs:
active_key_label: KEY-LABEL-NAME
encryption_keys:
- label: 'KEY-LABEL-NAME'
passphrase: 'MY-PASSPHRASE'
In the following example, you configure two encryption keys and select one of them to be the active key. The active key is used for encryption while all configured keys are used for decryption.
properties:
diego:
bbs:
active_key_label: key-2017-10
encryption_keys:
- label: 'key-2017-10'
passphrase: 'my september passphrase'
- label: 'key-2017-09'
passphrase: 'my august passphrase'
Key labels have the following restrictions:
:
(colon) characterPassphrases have no enforced character limit.
You can rotate encryption keys without downtime by following a two-deployment procedure. All the records are re-encrypted with the new active key, using the old key for only decryption. After the decryption is successful, you can remove the old key.
The following example rotates key-2017-09
to key-2017-10
.
Given the following starting manifest, use this procedure to rotate your encryption keys:
properties:
diego:
bbs:
active\_key\_label: key-2017-09
encryption_keys:
- label: 'key-2017-09'
passphrase: 'my september passphrase'
key-2017-10
and set it as the active key.
properties:
diego:
bbs:
active\_key\_label: key-2017-10
encryption_keys:
- label: 'key-2017-09'
passphrase: 'my september passphrase'
- label: 'key-2017-10'
passphrase: 'my october passphrase'
Redeploy Diego release.
If the first deployment is successful, update the manifest to remove the old key key-2017-09
.
properties:
diego:
bbs:
active\_key\_label: key-2017-10
encryption_keys:
- label: 'key-2017-10'
passphrase: 'my october passphrase'
After the second deployment is complete, the encryption keys are rotated.
You must complete the second deployment to remove the old key. If not removed, you can continue to decrypt information from the BBS data store using the old key.