rConfig - Config File Encryption

2 mins V7 Pro

Config file encryption is a feature that allows you to encrypt the contents of your configuration files as they are store on the Disk of rConfig Servers. This is useful when you need to store sensitive config information, for regulatory and other security requirements.

⚠ WARNING: This is a hazardous operation

This is a hazardous operation and should be done with caution. If you lose the encryption key, you will not be able to decrypt the configuration files. It is strongly recommended to backup the encryption key in a secure location, as this is the only key that will be able to decrypt your data. And also, backup the server before performing this operation.

Pre-requisites

Please ensure you have a backup of your rConfig server before proceeding with this operation. VM level snapshots are highly recommended as they allow for fast recovery in case of any issues while performing this operation.

Steps to Encrypt Configuration Files

1. Encrypt the configuration files

The file encryption process will update the .env file, encrypt all the configuration files in the rConfig system, as they are downloaded, and will decrypt them as they are retrieved. The feature cannot load files that are not already encrypted.

So, we will run a script to encrypt all the configuration files in the system. This script will also updated a feature flag in the configs table and set the is_encrypted column to 1 for all the configuration files. That’s useful to know which files are encrypted and which are not, because if the script fails, or the CLI session terminates, you can run the script again and it will only encrypt the files that are not already encrypted.

cd /var/www/html/rconfig7/current
php artisan rconfig:config-encryption-manager

┌ What action would you like to perform? ──────────────────────┐
│ › ● encrypt                                                  │
│   ○ decrypt                                                  │
│   ○ rotate                                                   │
└──────────────────────────────────────────────────────────────┘

 # Select encrypt and press enter

Once this task is complete, you will see a message indicating that the encryption process is complete. All rConfig features will now be able to work with encrypted configuration files.

3. Decrypt the configuration files

If you need to decrypt the configuration files, to reverse the above process, you can run the following command:

cd /var/www/html/rconfig7/current
php artisan rconfig:config-encryption-manager

┌ What action would you like to perform? ──────────────────────┐
│ › ○ encrypt                                                  │
│   ● decrypt                                                  │
│   ○ rotate                                                   │
└──────────────────────────────────────────────────────────────┘

 # Select decrypt and press enter

4. Rotate the encryption key

NOTE: Key Rotation is under development and will be available in the next release.

If you need to rotate the encryption key, you can run the following command:

cd /var/www/html/rconfig7/current
php artisan rconfig:config-encryption-manager

┌ What action would you like to perform? ──────────────────────┐
│ › ○ encrypt                                                  │
│   ○ decrypt                                                  │
│   ● rotate                                                   │
└──────────────────────────────────────────────────────────────┘

 # Select rotate and press enter

Tip

If there are any issues with the encryption process, you can check the logs in the storage/logs directory for more information. If you have any issues with the encryption process please do not make changes to the system, .env or any other settings. Examples of issues are The MAC is Invalid

You can restore the backup of the server if needed. And also, you can contact rConfig support for assistance.