Skip to main content
Version: 7.4

Device File Encryption

NetObserv SNMP supports user friendly and secure device file encryption using sops and AGE.

Getting Started

Environmental Dependencies

  1. Ensure sops is installed in your local environment:

    # Change sops-v3.8.1.linux.amd64 if needed based on your environment
    curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.linux.amd64
    sudo mv sops-v3.8.1.linux.amd64 /usr/local/bin/sops
    sops --version # to verify install

  2. Also ensure age is installed in your local environment to edit via CLI:

    apt install age # Debian based linux
    brew install age # macos
    age --version # to verify install

SNMP Device Encryption Configuration Settings

Please visit Device File Encryption Settings to learn more.

Setup

The easiest and most recommended way to get started is to simply set the following as below:

EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_ENABLE=true
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_CREATE=true
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_TYPE="sops"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PASSWORD="YourPassword"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PRIVATE_KEY_FILE_PATH="/etc/elastiflow/snmp/.age/key.age"
EF_INPUT_SNMP_DEVICE_DEFINITIONS_SECURE_STORE_PUBLIC_KEY_FILE_PATH="/etc/elastiflow/snmp/.age/public-age-keys.txt"

The following behavior will occur when the SNMP collector is next restarted:

  1. Generate password protected age keys at the configured file paths.

  2. Encrypt device configuration .yaml files using those keys.

Once successfully encrypted with sops, the following device configuration file:

example1:
    ip: 192.0.2.1
    port: 161
    poll_interval: 60
    timeout: 3000
    retries: 2
    exponential_timeout: false
    version: 2c
    communities:
        - public
    device_groups:
        - cisco_c1000
example2:
    ip: 192.0.2.2
    port: 161
    poll_interval: 60
    timeout: 3000
    retries: 2
    exponential_timeout: false
    version: 3
    v3_credentials:
        - username: elastiflow
          authentication_protocol: sha
          authentication_passphrase: efauthpassword
          privacy_protocol: des
          privacy_passphrase: efprivpassword
    device_groups:
        - cisco_c1000

will look like this:

example1:
    ip: ENC[AES256_GCM,data:gpjHnCJA1nrz,iv:2lYG8FRUkx71aRoFHaEVcnt/6xbZPXzwuvWZTPwkFfo=,tag:SHmLptFdH3W08cmz42cTGQ==,type:str]
    port: ENC[AES256_GCM,data:Qj4t,iv:CuWtdUOnCUnWASps/8S4pt7oALlOJkaLLnqgu3IOagU=,tag:ieulT2ZnV3JeatzKTggQ6Q==,type:int]
    poll_interval: ENC[AES256_GCM,data:L2I=,iv:rAUV9i3BWCHIOh+/YrkYAhkeVyBAhvA5ZPFQTA29maY=,tag:VqhjZnn5wOtiBUpxiZRHiA==,type:int]
    timeout: ENC[AES256_GCM,data:90Vgiw==,iv:qNxs1ixW8Fk8hkZwqDegZD2j+TdGxUxTvuoZtnIT7Zs=,tag:JMKKLmKcjob5sNfwxw8Ohg==,type:int]
    retries: ENC[AES256_GCM,data:pg==,iv:ntHpk0LQ4EEJXxrYMyVgc18/8rJpZeu5zb9TwxrDVns=,tag:jbSzyKgIaH8pZCi9vhpcRw==,type:int]
    exponential_timeout: ENC[AES256_GCM,data:70ObBtA=,iv:a7/hLZdXrYqkT3Ttqp7fZVj07IepGYj22WPYYxKubfA=,tag:jZWy+yh51M9XSJ2+IAg7uQ==,type:bool]
    version: ENC[AES256_GCM,data:dtM=,iv:Z3CUC9LL7nScQzyGTHdz0ekCJ5EOKUz0H2LWU+E9np0=,tag:WH5zbMQNE0DORcVVC/Ue2A==,type:str]
    communities:
        - ENC[AES256_GCM,data:66KS7TMJ,iv:1d78b98arCfjEAIWJBl21sHmrVZBF078yoPp8hREizs=,tag:IYA+3w4+i/lG5aIEbWDz/w==,type:str]
    device_groups:
        - ENC[AES256_GCM,data:S58lX6Cy0Z+AhLA=,iv:SH8KJ1w6d4tHpSVm1PqJ/4XrVhUo6hZWFhGCMQVAJbg=,tag:q5Lsuvfv/mgv/fwX1ezlIA==,type:str]
example2:
    ip: ENC[AES256_GCM,data:WBH+84Cw2Zr8,iv:wdXcIaqrvTPscE50IhJh+JNHBKhhxAqlAR8oSBh0edg=,tag:dsUAIcVGLbm9oIj2XQMoPA==,type:str]
    port: ENC[AES256_GCM,data:OWMD,iv:bTRT7fufGSYjY+5hMgCOR73bypq113INIPAa5srQAzk=,tag:/0iO86Ky4WxLCFHPpfEqLg==,type:int]
    poll_interval: ENC[AES256_GCM,data:WGQ=,iv:Yo06+WSNM3FVsxNq4D1DuMwzw33Z3Wkb+jaejl1fFlc=,tag:UgdkI7WTdRvYmlH+RwYAcg==,type:int]
    timeout: ENC[AES256_GCM,data:8aodzQ==,iv:GC5cVU8ogqdV3wqVGudQL8kiw6vTwDRgPKOsfzZaMHs=,tag:P8pGX+BCrhQja+ggcCzdPA==,type:int]
    retries: ENC[AES256_GCM,data:Sg==,iv:6R/UTJ/UxDwOoYIwxdaNSMb8FsLdEHOvhCVPxXucr5w=,tag:ZHT31wPKwIoHQsnFueZsTA==,type:int]
    exponential_timeout: ENC[AES256_GCM,data:MAWJFDo=,iv:ajyXshSJN6ppJs16/8VZ49sOsd0LGrIbX/tdFDrFhdw=,tag:Z+oKJiMHywhzMEFyoW5rVw==,type:bool]
    version: ENC[AES256_GCM,data:nQ==,iv:whZat6BvmokGSuc99ZEWSCHY/f7hrEgbTXWPeYO7tUA=,tag:rPrEPendlnj6KX4cXSpsgg==,type:int]
    v3_credentials:
        - username: ENC[AES256_GCM,data:U3C33op0xlVI9w==,iv:TBe9m5WLcbJJA3xFeZGsBnfmYde3LqQ+XPrwKVObfxM=,tag:Vk6taTCEG5HUhsrR0xdAEg==,type:str]
          authentication_protocol: ENC[AES256_GCM,data:svZM,iv:aKP8V1z1MZpytsqTFnMXEmIEdD10WOrQSYv0Jy5gl24=,tag:TcPJoustC+4jgCN/46gOwg==,type:str]
          authentication_passphrase: ENC[AES256_GCM,data:50joswMhZyQLIav1jsM=,iv:Fk5UWMmb2yXl7cH0VW314qdyTAHGMXcWXYCAmK/OWLY=,tag:mX672yhoXFAv0jL1xAfyHw==,type:str]
          privacy_protocol: ENC[AES256_GCM,data:lXm0,iv:CVfu7stiua+8t6GqJJ9xeShwpkWb5n3ivwVZOHNqyMs=,tag:E4lnqh9xw19C/yxivypciQ==,type:str]
          privacy_passphrase: ENC[AES256_GCM,data:P39UX0UKK8kesM23Yug=,iv:CCh4x6Tp2vbkRfPqQ/cXyG99uHGbKaR1W6mBvNnDTBQ=,tag:nCE9XfaIWNiFhYSGeObqpw==,type:str]
    device_groups:
        - ENC[AES256_GCM,data:ayAD/+D3+Et71x0=,iv:r9HuTYYKPhPeNClUpJDvB71MJ1H7AvrFGamSKTbOwJw=,tag:h++ge/puz/KajkqJibjLNQ==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1l209t8c77xaysqjy5usjzknv4fzgcj4x65gjwnvrgx0chlrk6c6qna9r9d
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUEx4cUVrK0ZRMkdBUHJi
            UzlOUUx1R3BCL3lRTmgvSXQ2N2ZDQk1TemcwCkk1clBnRGV0cmFXYWNnMlZGUFEz
            akttUlR1VmgzL2taWUdJMzgwZzBBaDAKLS0tIGR6K1dtRVZMTnhJbGVPdVhNMXRD
            QkJPZG5ISlVZclRIYmQ5Y2U4UnVnYUUKlX+RKl/l+p4Banls4tIBcdi3N0XFNxVd
            g42uDbAxdy8rfBc4elKlkv4C8ruC6xh3/yBZyHeBceqjqWxkOSTVyA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-11T02:16:28Z"
    mac: ENC[AES256_GCM,data:8ictB7la+azEBuLwotnHp4gEZjLb8bTEkDfyaFOmKOb2+AVxDhQ7kNvoBUrJ59ZqPB4xxveFHmCF1El1mYWMEonFuHsde9HZzgpeGNu2dlONonmjOlGlrisfcIivYCAGn+bD9DaGzkP/YMO/zjdJaCgwf+6WkxrviV29IAPoAG8=,iv:tAtcC+dMzSOFbc1EA++Q4GTDmPfjnVaWZdetkPkyhzw=,tag:gy1dLA4usoMMjnBjDlhsaQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1

Editing Encrypted Files

It is important to note that encrypted files should not be manually edited outside of the sops CLI editor.

To securely edit device configuration files, please use sops via the CLI:

  • Non-password protected key:

    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY_FILE=/etc/elastiflow/snmp/.age/key.age \
    sops device.yaml

  • Password protected key:

    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY=$(age -d /etc/elastiflow/snmp/.age/key.age) sops device.yaml

These commands will decrypt the file in memory and open with a text editor of your choice. By default, the editor used will be vim: sops editor vim

  • Using nano instead of vim:

    EDITOR=nano \
    SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/snmp/.age/public-age-keys.txt) \
    SOPS_AGE_KEY=$(age -d /etc/elastiflow/snmp/.age/key.age) sops device.yaml

Once changes are made, save and exit to update the encrypted file stored on the disk drive.