Credential File Encryption

NetObserv Trap can be configured to securely encrypt the Trap listener encryption file using industry standard AGE encryption.

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_ENABLE

Specifies whether the credential yaml files located in the directory specified by EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH will be encrypted.

• Valid Values
  • true, false
• Default
  • false

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_CREATE

If credentials encryption is enabled (EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_ENABLE is true), the collector will create a new local keystore when set to true. This includes creating new AGE keys and encrypting all yml files located in the directory configured via EF_INPUT_TRAP_LISTENER_CREDENTIALS_DIRECTORY_PATH.

• Valid Values
  • true, false
• Default
  • false

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_TYPE

If device file encryption is enabled (EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_ENABLE is true) this setting specifies that the type of encryption manager the user wants to utilize. The two options are sops and standard. sops is the default option, it will only encrypt the configuration values of the configuration file, leaving the file structure intact. standard will simply encrypt the entire configuration file using AGE encryption.

• Valid Values
  • sops, standard
• Default
  • sops

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PASSWORD

The file specified in INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PRIVATE_KEY_FILE_PATH can be encrypted for added security. If used in conjunction with EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_CREATE, then the keystore will be configured with a password protected private key.

• Default
  • ''

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PRIVATE_KEY_FILE_PATH

Sets the filepath location of the private key file. If used in conjunction with EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_CREATE, then the private key used in the keystore will be generated at this location.

• Default
  • /etc/elastiflow/trap/.age/key.age

warning

If using Trap collector generated keys, do not delete or modify the key files. Doing so will result in the loss of the ability to decrypt the credentials.

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PUBLIC_KEY_FILE_PATH

Sets the filepath location of the public key file. If used in conjunction with EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_CREATE, then the public key used in the keystore will be generated at this location.

• Default
  • /etc/elastiflow/trap/.age/public-age-keys.txt

warning

If using Trap collector generated keys, do not delete or modify the key files. Doing so will result in the loss of the ability to decrypt the credentials.

EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PUBLIC_KEY

This setting can be used in place of EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_PUBLIC_KEY_FILE_PATH to directly assign the public key. Cannot be used in conjunction with EF_INPUT_TRAP_LISTENER_CREDENTIALS_SECURE_STORE_CREATE.

• Default
  • ''