rConfig - Config File Encryption
Config file encryption is a feature that allows you to encrypt the contents of your Configuratoin files as they are store on the Disk of rConfig Servers. This is useful when you need to store sensitive config information, for regulatory and other secuerity requirements.
Pre-requisites
Please ensure you have a backup of your rConfig server before proceeding with this operation. VM level snapshots are highly recommended as they allow for fast recovery in case of any issues while performing this operation.
Steps to Encrypt Configuration Files
1. Add new encryption flag to .env
Add the following line to your .env file. You will note the presence of the APP_KEY at the top of the .env file. This is the encryption key used
to encrypt and decrypt the configuration files.
vi /var/www/html/rconfig7/current/.envFILE_ENCRYPTION_ENABLED=false
# set to true to enable file encryptionFILE_ENCRYPTION_ENABLED=true#save and exit2. Encrypt the configuration files
Now that you have enabled the encryption flag, you must encrypt the existing configuration files. The file encryption process will encrypt all the configuration files in the rConfig system, as they are downloaded, and will decrypt them as they are retrived. The feature cannot load files that are not already encrypted.
So, we will run a script to encrypt all the configuration files in the system. This script will also updated a feature flag in the configs table
and set the is_encrypted column to 1 for all the configuration files. That’s usful to know which files are encrypted and which are not, becuase
if the script fails, or the CLI session terminates, you can run the script again and it will only encrypt the files that are not already encrypted.
cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ● encrypt ││ ○ decrypt ││ ○ rotate │└──────────────────────────────────────────────────────────────┘
# Select encrypt and press enterOnce this task is complete, you will see a message indicating that the encryption process is complete. All rConfig features will now be able to work with encrypted configuration files.
3. Decrypt the configuration files
If you need to decrypt the configuration files, to reverse the above process, you can run the following command:
cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ○ encrypt ││ ● decrypt ││ ○ rotate │└──────────────────────────────────────────────────────────────┘
# Select decrypt and press enter4. Rotate the encryption key
NOTE: Key Rotation is under development and will be available in the next release.
If you need to rotate the encryption key, you can run the following command:
cd /var/www/html/rconfig7/currentphp artisan rconfig:config-encryption-manager
┌ What action would you like to perform? ──────────────────────┐│ › ○ encrypt ││ ○ decrypt ││ ● rotate │└──────────────────────────────────────────────────────────────┘
# Select rotate and press enter