Skip to main content
Version: 7.4

Device File Encryption

NetObserv SNMP supports user friendly and secure device file encryption using sops and AGE.

Getting Started

Environmental Dependencies

  1. Ensure sops is installed in your local environment:

    # Change sops-v3.8.1.linux.amd64 if needed based on your environment
    curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.linux.amd64
    sudo mv sops-v3.8.1.linux.amd64 /usr/local/bin/sops
    sops --version # to verify install
  2. Also ensure age is installed in your local environment to edit via CLI:

    apt install age # Debian based linux
    brew install age # macos
    age --version # to verify install

SNMP Device Encryption Configuration Settings

Please visit Device File Encryption Settings to learn more.

Setup

The easiest and most recommended way to get started is to simply set the following as below:

EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_ENABLE=true
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_CREATE=true
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_TYPE="sops"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PASSWORD="YourPassword"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PRIVATE_KEY_FILE_PATH="/etc/elastiflow/snmp/.age/key.age"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PUBLIC_KEY_FILE_PATH="/etc/elastiflow/snmp/.age/public-age-keys.txt"

The following behavior will occur when the SNMP collector is next restarted:

  1. Generate password protected age keys at the configured file paths.

  2. Encrypt device configuration .yaml files using those keys.

Once successfully encrypted with sops, the following device configuration file:

example1:
ip: 192.0.2.1
port: 161
poll_interval: 60
timeout: 3000
retries: 2
exponential_timeout: false
version: 2c
communities:
- public
device_groups:
- cisco_c1000
example2:
ip: 192.0.2.2
port: 161
poll_interval: 60
timeout: 3000
retries: 2
exponential_timeout: false
version: 3
v3_credentials:
- username: elastiflow
authentication_protocol: sha
authentication_passphrase: efauthpassword
privacy_protocol: des
privacy_passphrase: efprivpassword
device_groups:
- cisco_c1000

will look like this:

example1:
ip: ENC[AES256_GCM,data:gpjHnCJA1nrz,iv:2lYG8FRUkx71aRoFHaEVcnt/6xbZPXzwuvWZTPwkFfo=,tag:SHmLptFdH3W08cmz42cTGQ==,type:str]
port: ENC[AES256_GCM,data:Qj4t,iv:CuWtdUOnCUnWASps/8S4pt7oALlOJkaLLnqgu3IOagU=,tag:ieulT2ZnV3JeatzKTggQ6Q==,type:int]
poll_interval: ENC[AES256_GCM,data:L2I=,iv:rAUV9i3BWCHIOh+/YrkYAhkeVyBAhvA5ZPFQTA29maY=,tag:VqhjZnn5wOtiBUpxiZRHiA==,type:int]
timeout: ENC[AES256_GCM,data:90Vgiw==,iv:qNxs1ixW8Fk8hkZwqDegZD2j+TdGxUxTvuoZtnIT7Zs=,tag:JMKKLmKcjob5sNfwxw8Ohg==,type:int]
retries: ENC[AES256_GCM,data:pg==,iv:ntHpk0LQ4EEJXxrYMyVgc18/8rJpZeu5zb9TwxrDVns=,tag:jbSzyKgIaH8pZCi9vhpcRw==,type:int]
exponential_timeout: ENC[AES256_GCM,data:70ObBtA=,iv:a7/hLZdXrYqkT3Ttqp7fZVj07IepGYj22WPYYxKubfA=,tag:jZWy+yh51M9XSJ2+IAg7uQ==,type:bool]
version: ENC[AES256_GCM,data:dtM=,iv:Z3CUC9LL7nScQzyGTHdz0ekCJ5EOKUz0H2LWU+E9np0=,tag:WH5zbMQNE0DORcVVC/Ue2A==,type:str]
communities:
- ENC[AES256_GCM,data:66KS7TMJ,iv:1d78b98arCfjEAIWJBl21sHmrVZBF078yoPp8hREizs=,tag:IYA+3w4+i/lG5aIEbWDz/w==,type:str]
device_groups:
- ENC[AES256_GCM,data:S58lX6Cy0Z+AhLA=,iv:SH8KJ1w6d4tHpSVm1PqJ/4XrVhUo6hZWFhGCMQVAJbg=,tag:q5Lsuvfv/mgv/fwX1ezlIA==,type:str]
example2:
ip: ENC[AES256_GCM,data:WBH+84Cw2Zr8,iv:wdXcIaqrvTPscE50IhJh+JNHBKhhxAqlAR8oSBh0edg=,tag:dsUAIcVGLbm9oIj2XQMoPA==,type:str]
port: ENC[AES256_GCM,data:OWMD,iv:bTRT7fufGSYjY+5hMgCOR73bypq113INIPAa5srQAzk=,tag:/0iO86Ky4WxLCFHPpfEqLg==,type:int]
poll_interval: ENC[AES256_GCM,data:WGQ=,iv:Yo06+WSNM3FVsxNq4D1DuMwzw33Z3Wkb+jaejl1fFlc=,tag:UgdkI7WTdRvYmlH+RwYAcg==,type:int]
timeout: ENC[AES256_GCM,data:8aodzQ==,iv:GC5cVU8ogqdV3wqVGudQL8kiw6vTwDRgPKOsfzZaMHs=,tag:P8pGX+BCrhQja+ggcCzdPA==,type:int]
retries: ENC[AES256_GCM,data:Sg==,iv:6R/UTJ/UxDwOoYIwxdaNSMb8FsLdEHOvhCVPxXucr5w=,tag:ZHT31wPKwIoHQsnFueZsTA==,type:int]
exponential_timeout: ENC[AES256_GCM,data:MAWJFDo=,iv:ajyXshSJN6ppJs16/8VZ49sOsd0LGrIbX/tdFDrFhdw=,tag:Z+oKJiMHywhzMEFyoW5rVw==,type:bool]
version: ENC[AES256_GCM,data:nQ==,iv:whZat6BvmokGSuc99ZEWSCHY/f7hrEgbTXWPeYO7tUA=,tag:rPrEPendlnj6KX4cXSpsgg==,type:int]
v3_credentials:
- username: ENC[AES256_GCM,data:U3C33op0xlVI9w==,iv:TBe9m5WLcbJJA3xFeZGsBnfmYde3LqQ+XPrwKVObfxM=,tag:Vk6taTCEG5HUhsrR0xdAEg==,type:str]
authentication_protocol: ENC[AES256_GCM,data:svZM,iv:aKP8V1z1MZpytsqTFnMXEmIEdD10WOrQSYv0Jy5gl24=,tag:TcPJoustC+4jgCN/46gOwg==,type:str]
authentication_passphrase: ENC[AES256_GCM,data:50joswMhZyQLIav1jsM=,iv:Fk5UWMmb2yXl7cH0VW314qdyTAHGMXcWXYCAmK/OWLY=,tag:mX672yhoXFAv0jL1xAfyHw==,type:str]
privacy_protocol: ENC[AES256_GCM,data:lXm0,iv:CVfu7stiua+8t6GqJJ9xeShwpkWb5n3ivwVZOHNqyMs=,tag:E4lnqh9xw19C/yxivypciQ==,type:str]
privacy_passphrase: ENC[AES256_GCM,data:P39UX0UKK8kesM23Yug=,iv:CCh4x6Tp2vbkRfPqQ/cXyG99uHGbKaR1W6mBvNnDTBQ=,tag:nCE9XfaIWNiFhYSGeObqpw==,type:str]
device_groups:
- ENC[AES256_GCM,data:ayAD/+D3+Et71x0=,iv:r9HuTYYKPhPeNClUpJDvB71MJ1H7AvrFGamSKTbOwJw=,tag:h++ge/puz/KajkqJibjLNQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1l209t8c77xaysqjy5usjzknv4fzgcj4x65gjwnvrgx0chlrk6c6qna9r9d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUEx4cUVrK0ZRMkdBUHJi
UzlOUUx1R3BCL3lRTmgvSXQ2N2ZDQk1TemcwCkk1clBnRGV0cmFXYWNnMlZGUFEz
akttUlR1VmgzL2taWUdJMzgwZzBBaDAKLS0tIGR6K1dtRVZMTnhJbGVPdVhNMXRD
QkJPZG5ISlVZclRIYmQ5Y2U4UnVnYUUKlX+RKl/l+p4Banls4tIBcdi3N0XFNxVd
g42uDbAxdy8rfBc4elKlkv4C8ruC6xh3/yBZyHeBceqjqWxkOSTVyA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-11T02:16:28Z"
mac: ENC[AES256_GCM,data:8ictB7la+azEBuLwotnHp4gEZjLb8bTEkDfyaFOmKOb2+AVxDhQ7kNvoBUrJ59ZqPB4xxveFHmCF1El1mYWMEonFuHsde9HZzgpeGNu2dlONonmjOlGlrisfcIivYCAGn+bD9DaGzkP/YMO/zjdJaCgwf+6WkxrviV29IAPoAG8=,iv:tAtcC+dMzSOFbc1EA++Q4GTDmPfjnVaWZdetkPkyhzw=,tag:gy1dLA4usoMMjnBjDlhsaQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

Editing Encrypted Files

It is important to note that encrypted files should not be manually edited outside of the sops CLI editor.

To securely edit device configuration files, please use sops via the CLI:

  • Non-password protected key:

    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY_FILE=/etc/elastiflow/snmp/.age/key.age \
    sops device.yaml
  • Password protected key:

    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY=$(age -d /etc/elastiflow/snmp/.age/key.age) sops device.yaml

These commands will decrypt the file in memory and open with a text editor of your choice. By default, the editor used will be vim: sops editor vim

  • Using nano instead of vim:

    EDITOR=nano \
    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY=$(age -d /etc/elastiflow/snmp/.age/key.age) sops device.yaml

Once changes are made, save and exit to update the encrypted file stored on the disk drive.