Network Configuration File Encryption - rConfig V8 Security
Config File Encryption: Securing Stored Configurations
Section titled “Config File Encryption: Securing Stored Configurations”Configuration file encryption protects backed-up device configurations at rest by encrypting files as they are stored on the rConfig server’s disk. This security feature addresses regulatory compliance requirements, data protection mandates, and organizational security policies requiring encryption of sensitive network configuration data.
Understanding Config File Encryption
Section titled “Understanding Config File Encryption”How Encryption Works
Section titled “How Encryption Works”rConfig’s encryption system operates transparently within the configuration management workflow:
During Backup: When a device configuration is captured, rConfig encrypts the configuration content before writing it to disk. The encrypted file is stored in the standard directory structure, indistinguishable from unencrypted files except for the encryption flag in the database.
During Access: When a configuration is retrieved for viewing, comparison, or analysis, rConfig automatically decrypts the file content. Users and rConfig features interact with configurations normally—encryption and decryption occur transparently in the background.
Encryption Scope: Only configuration file content is encrypted. Database metadata (device names, timestamps, file paths, version numbers) remains unencrypted to preserve system functionality and search capabilities.
Security Benefits
Section titled “Security Benefits”Data Protection at Rest: Encrypted configurations are unreadable without the encryption key, protecting sensitive data if storage media is compromised, servers are decommissioned without proper data sanitization, or unauthorized physical access occurs.
Compliance Requirements: Many regulatory frameworks (GDPR, HIPAA, PCI-DSS, SOX) mandate encryption of sensitive data at rest. Configuration files containing passwords, SNMP communities, or network topology information often fall under these requirements.
Multi-Tenant Security: In environments where multiple teams or organizations share rConfig infrastructure, encryption provides an additional security layer beyond access controls, ensuring that storage-level access doesn’t bypass application security.
Prerequisites
Section titled “Prerequisites”Before Beginning Encryption
Section titled “Before Beginning Encryption”Complete Server Backup: Create a full backup of the rConfig server before initiating encryption. VM-level snapshots provide the fastest recovery option if issues occur during the encryption process.
Verify Disk Space: Encryption operations create temporary files during processing. Ensure available disk space exceeds current configuration storage by at least 50% to accommodate temporary files and avoid mid-process failures.
Schedule Maintenance Window: Encryption processing time scales with configuration count and size. For large deployments (10,000+ configs), schedule a maintenance window allowing several hours for encryption completion.
Document Current State: Record current system status including total configuration count, storage consumption, and backup success rates. This baseline enables verification that encryption completed successfully.
Prepare Key Backup Procedures: Establish secure storage for encryption key backups before generating keys. Multiple geographically distributed backup copies (secured vault, encrypted cloud storage, offline media in safe) are strongly recommended.
Encryption Implementation
Section titled “Encryption Implementation”Step 1: Access Encryption Manager
Section titled “Step 1: Access Encryption Manager”Navigate to the rConfig installation directory and launch the encryption management CLI:
cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ● encrypt ││ ○ decrypt ││ ○ rotate │└──────────────────────────────────────────────────────────────┘
# Select encrypt and press enterStep 2: Encryption Process Execution
Section titled “Step 2: Encryption Process Execution”The encryption manager performs the following operations:
- Key Generation: Creates encryption key and updates
.envconfiguration - Database Flagging: Marks configurations for encryption in the
configstable - File Encryption: Encrypts each configuration file, updating
is_encryptedflag upon completion - Verification: Validates encrypted files are readable before finalizing
Progress Monitoring: The encryption process displays progress for each configuration file. For large deployments, this may take significant time—do not interrupt the process or close the terminal session.
Resumable Process: If the encryption process fails or the CLI session terminates unexpectedly, re-running the command safely resumes encryption. The system only encrypts files where is_encrypted = 0, preventing double-encryption or corruption.
Step 3: Verify Encryption Success
Section titled “Step 3: Verify Encryption Success”After encryption completes:
- Check completion message: Verify the encryption manager reports successful completion
- Test configuration access: Access several configurations through the rConfig UI to confirm transparent decryption
- Run configuration diff: Compare two encrypted configurations to verify diff functionality
- Review logs: Check
storage/logsfor any errors or warnings during encryption
Step 4: Backup Encryption Key
Section titled “Step 4: Backup Encryption Key”Critical: Immediately after encryption, back up the encryption key:
# Encryption key is stored in .env file as APP_KEYcat /var/www/html/rconfig7/current/.env | grep APP_KEY
# Backup this value to secure storage# Example: APP_KEY=base64:XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxKey Backup Locations (store copies in multiple locations):
- Encrypted password manager (1Password, LastPass, Bitwarden)
- Hardware security module (HSM) or key management service (KMS)
- Offline encrypted USB drive in physically secured location
- Printed copy in organizational safe or vault
- Encrypted cloud storage with separate authentication
Do not rely on a single backup copy. Key loss equals permanent data loss.
Decryption Process
Section titled “Decryption Process”When to Decrypt
Section titled “When to Decrypt”Decryption reverses the encryption process, returning configuration files to plaintext storage. Common scenarios:
- Encryption no longer required (regulatory requirements changed)
- Migrating to external encryption solution
- Performance optimization (encryption adds minimal but measurable overhead)
- Troubleshooting encryption-related issues
Decryption Steps
Section titled “Decryption Steps”cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ○ encrypt ││ ● decrypt ││ ○ rotate │└──────────────────────────────────────────────────────────────┘
# Select decrypt and press enterDecryption Process:
- System decrypts each encrypted configuration file
- Updates
is_encryptedflag to 0 in database - Removes encryption from
.envconfiguration - Verifies decrypted files are accessible
Verification: After decryption, test configuration access, diffs, and search functionality to ensure complete decryption success.
Key Rotation
Section titled “Key Rotation”Planned Key Rotation Capability
Section titled “Planned Key Rotation Capability”When available, key rotation will enable encryption key changes without decrypt/re-encrypt cycles:
cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ○ encrypt ││ ○ decrypt ││ ● rotate │└──────────────────────────────────────────────────────────────┘
# Select rotate and press enterFuture Rotation Process (when available):
- Generate new encryption key
- Decrypt configurations with old key
- Re-encrypt with new key
- Update
.envwith new key - Remove old key from system
Current Workaround: To change encryption keys with current version, decrypt all configurations, change APP_KEY manually, then re-encrypt.
Troubleshooting
Section titled “Troubleshooting””The MAC is Invalid” Error
Section titled “”The MAC is Invalid” Error”Symptom: Error message “The MAC is invalid” when accessing encrypted configurations.
Meaning: Message Authentication Code (MAC) validation failed, indicating:
- Encryption key changed or corrupted
- Configuration file corrupted or tampered with
- Decryption attempted with wrong key
Resolution:
- DO NOT modify
.envfile or attempt fixes - DO NOT re-run encryption commands
- Restore from backup immediately
- Contact rConfig support with error logs from
storage/logs
Prevention: Never manually edit APP_KEY in .env after encryption. Use only the encryption manager CLI for key operations.
Encryption Process Hangs or Fails
Section titled “Encryption Process Hangs or Fails”Symptom: Encryption manager stops processing, displays errors, or terminal session disconnects.
Resolution:
- Check available disk space:
df -h - Review logs:
tail -f storage/logs/laravel.log - If sufficient space, safely re-run encryption manager (resumes where stopped)
- If disk full, free space and re-run
Prevention: Ensure adequate disk space (50% buffer above current usage) before starting encryption.
Performance Degradation After Encryption
Section titled “Performance Degradation After Encryption”Symptom: Configuration access, diffs, or backups noticeably slower after enabling encryption.
Expected: Encryption adds minimal overhead (typically < 5% performance impact).
If excessive:
- Verify disk I/O performance hasn’t degraded
- Check system resource usage (CPU, memory)
- Review concurrent backup operations (reduce if necessary)
- Consider hardware upgrades if sustained high encryption throughput needed
Unable to Access Configurations After Encryption
Section titled “Unable to Access Configurations After Encryption”Symptom: Configurations appear in UI but cannot be opened or compared.
Possible causes:
- Encryption process incomplete
.envfile permissions incorrect- Encryption key not properly set
Resolution:
- Verify APP_KEY exists in
.env:grep APP_KEY /var/www/html/rconfig7/current/.env - Check file permissions:
ls -la /var/www/html/rconfig7/current/.env - Review encryption completion in logs
- If all else fails, restore from backup
Best Practices
Section titled “Best Practices”Key Management
Section titled “Key Management”Multiple Backup Copies: Store encryption key in at least three physically separate, secure locations. Single point of failure for key storage creates single point of failure for all encrypted data.
Access Control: Limit encryption key access to essential personnel only. Document who has access and audit access regularly.
Key Documentation: Document key backup locations, access procedures, and recovery processes. Store documentation separately from keys themselves.
Operational Procedures
Section titled “Operational Procedures”Test Restoration: Periodically test backup restoration and key recovery procedures. Untested backups are not backups.
Monitor Encryption Status: Track which configurations are encrypted (is_encrypted flag) and verify new backups encrypt correctly.
Change Control: Treat encryption operations (enable, disable, rotate) as high-risk changes requiring formal change control approval and rollback plans.
Compliance Documentation
Section titled “Compliance Documentation”Audit Trail: Maintain records of when encryption was enabled, who performed the operation, and verification of successful completion.
Key Lifecycle: Document key generation date, rotation schedule (when available), and key retirement procedures.
Access Logs: Monitor and log access to encryption keys and encrypted configuration files for compliance auditing.
Related Documentation
Section titled “Related Documentation”- Configuration Backup Implementation - Understanding backup operations
- Configuration Security Best Practices - Comprehensive security guidance
- Disaster Recovery Procedures - Backup and restoration processes
Quick Reference
Section titled “Quick Reference”Enable Encryption
Section titled “Enable Encryption”cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager# Select: encryptBackup Encryption Key
Section titled “Backup Encryption Key”cat /var/www/html/rconfig7/current/.env | grep APP_KEY# Securely store the APP_KEY valueDecrypt Configurations
Section titled “Decrypt Configurations”cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager# Select: decryptCritical Reminders
Section titled “Critical Reminders”- ⚠️ Always backup server before encryption
- 🔑 Store encryption key in multiple secure locations
- 🚫 Never manually edit APP_KEY after encryption
- 📋 Test restoration procedures regularly
- 🆘 Contact support immediately if “MAC is invalid” errors