# Encrypting Configuration Files ## Overview {% hint style="info" %} This feature was introduced in NetObserv 7.21.0 {% endhint %} NetObserv can encrypt configuration files (decrypting them on startup to read them). Files encrypted with this feature: * NetObserv Flow: flowcoll.yml, Azure vnet config file * See [additional docs](/flowcoll/configuration/encrypting-configuration-files/encrypting-azure-vnet-configuration.md) if you are using NetObserv Flow and want to encrypt Azure vnet config * NetObserv SNMP: snmpcoll.yml * NetObserv SNMP Trap: trapcoll.yml ## Set Up Encryption For Configuration Files There are two modes of encryption: 1. (default) full-file encryption -- where the entire contents of the yml config file is encrypted. 2. Value-only encryption -- where the config names are plain-text in the yml file, but all the values are encrypted. ### Install System Dependencies Ensure [age](https://github.com/FiloSottile/age) is installed in your local environment in order to edit the config file ``` # Debian based linux sudo apt install age age --version # to verify install ``` Or (for RPM based distributions) ``` # RPM based linux sudo dnf install epel-release sudo dnf install age age --version # to verify install ``` If you want to use the value-only encryption mode, you must also install `sops`. Follow the [sops installation steps](https://github.com/getsops/sops?tab=readme-ov-file#1download) to install sops. ### Create Encryption Keys

sudo mkdir -p /etc/elastiflow/page.vars.product_shortname/.age
cd /etc/elastiflow/page.vars.product_shortname/.age
age-keygen | sudo tee key.age
age-keygen -y key.age | sudo tee public-age-keys.txt

If you also want to encrypt the private key with a password (optional):

cd /etc/elastiflow/page.vars.product_shortname/.age
sudo age --encrypt -p -o key.age.enc key.age
sudo mv key.age.enc key.age

### Enable File Encryption Edit the file /etc/systemd/system/page.vars.product\_shortname.env * set `EF_CONFIG_ENCRYPT_ENABLE=true` * if you used a password to encrypt the private key, set `EF_CONFIG_ENCRYPT_PASSWORD` to match the password If you want to use the alternative mode of encryption (where only values are encrypted), then change `EF_CONFIG_ENCRYPT_TYPE` to be `sops` Then reload system config: `sudo systemctl daemon-reload` #### Setting Up Initial Encryption You must manually encrypt the config file for the first time. **For Default Encryption Mode**

cd /etc/elastiflow
sudo age -e -R ./page.vars.product_shortname/.age/public-age-keys.txt -o page.vars.product_shortname.enc.yml page.vars.product_shortname.yml
sudo mv page.vars.product_shortname.enc.yml page.vars.product_shortname.yml

**For Value-Only Encryption Mode** If you have set `EF_CONFIG_ENCRYPT_TYPE` to `sops`, then you have to do the initial encryption of page.vars.product\_shortname.yml

cd /etc/elastiflow
sudo sops encrypt --age $(< ./page.vars.product_shortname/.age/public-age-keys.txt) --input-type yaml --output-type yaml --output "page.vars.product_shortname.yml.enc" page.vars.product_shortname.yml
sudo mv page.vars.product_shortname.yml.enc page.vars.product_shortname.yml

### Restart NetObserv Restart NetObserv, and it will use the encrypted config file

sudo systemctl daemon-reload
sudo systemctl restart page.vars.product_shortname

## Editing Config Files #### Using Default Encryption Mode To edit an encrypted config file, you will need to use the `age` cli tool to decrypt first.

cd /etc/elastiflow
sudo age -d -o page.vars.product_shortname.decrypted.yml -i ./page.vars.product_shortname/.age/key.age ./page.vars.product_shortname.yml

Then edit the contents of page.vars.product\_shortname.decrypted.yml Once done, use `age` to encrypt again

cd /etc/elastiflow
sudo age -e -R ./page.vars.product_shortname/.age/public-age-keys.txt -o page.vars.product_shortname.yml page.vars.product_shortname.decrypted.yml
sudo rm page.vars.product_shortname.decrypted.yml

Then restart NetObserv #### Using Value-Only Encryption Mode To securely edit encrypted configuration files, you can use sops via the CLI:

SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/page.vars.product_shortname/.age/public-age-keys.txt) \
SOPS_AGE_KEY_FILE=/etc/elastiflow/page.vars.product_shortname/.age/key.age \
sudo --preserve-env=SOPS_AGE_RECIPIENTS --preserve-env=SOPS_AGE_KEY_FILE \
sops /etc/elastiflow/page.vars.product_shortname.yml

This command will decrypt the file in memory and open with a cli text editor. By default, the editor used will be vim To use another editor (like nano) instead of vim, change the `EDITOR` environment variable:

EDITOR=nano \
SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/page.vars.product_shortname/.age/public-age-keys.txt) \
SOPS_AGE_KEY_FILE=/etc/elastiflow/page.vars.product_shortname/.age/key.age \
sudo --preserve-env=SOPS_AGE_RECIPIENTS --preserve-env=SOPS_AGE_KEY_FILE --preserve-env=EDITOR \
sops /etc/elastiflow/page.vars.product_shortname.yml

Then restart NetObserv ### Disabling File Encryption Edit /etc/systemd/system/page.vars.product\_shortname.env and set `EF_CONFIG_ENCRYPT_ENABLE=false` If using default encryption mode, use this command to decrypt config file:

cd /etc/elastiflow
sudo age -d -o page.vars.product_shortname.decrypted.yml -i ./page.vars.product_shortname/.age/key.age ./page.vars.product_shortname.yml
sudo mv page.vars.product_shortname.decrypted.yml page.vars.product_shortname.yml

If using value-only encryption mode, use this command:

cd /etc/elastiflow
SOPS_AGE_KEY_FILE="/etc/elastiflow/page.vars.product_shortname/.age/key.age" sudo --preserve-env=SOPS_AGE_KEY_FILE sudo --preserve-env=SOPS_AGE_KEY_FILE sops decrypt --input-type yaml --output-type yaml --output "page.vars.product_shortname.yml.dec" "page.vars.product_shortname.yml"
sudo mv page.vars.product_shortname.yml.dec page.vars.product_shortname.yml

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/trapcoll/configuration/encrypting-configuration-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.