Encrypting Configuration Files

Overview

This feature was introduced in NetObserv 7.21.0

NetObserv can encrypt configuration files (decrypting them on startup to read them).

Files encrypted with this feature:

NetObserv Flow: flowcoll.yml, Azure vnet config file
- See additional docs if you are using NetObserv Flow and want to encrypt Azure vnet config
NetObserv SNMP: snmpcoll.yml
NetObserv SNMP Trap: trapcoll.yml

Set Up Encryption For Configuration Files

There are two modes of encryption:

(default) full-file encryption -- where the entire contents of the yml config file is encrypted.
Value-only encryption -- where the config names are plain-text in the yml file, but all the values are encrypted.

Install System Dependencies

Ensure age is installed in your local environment in order to edit the config file

# Debian based linux
sudo apt install age
age --version # to verify install

Or (for RPM based distributions)

# RPM based linux
sudo dnf install epel-release
sudo dnf install age
age --version # to verify install

If you want to use the value-only encryption mode, you must also install sops. Follow the sops installation steps to install sops.

Create Encryption Keys

sudo mkdir -p /etc/elastiflow/trapcoll/.age
cd /etc/elastiflow/trapcoll/.age
age-keygen | sudo tee key.age
age-keygen -y key.age | sudo tee public-age-keys.txt

If you also want to encrypt the private key with a password (optional):

cd /etc/elastiflow/trapcoll/.age
sudo age --encrypt -p -o key.age.enc key.age
sudo mv key.age.enc key.age

Enable File Encryption

Edit the file /etc/systemd/system/trapcoll.env

set EF_CONFIG_ENCRYPT_ENABLE=true
if you used a password to encrypt the private key, set EF_CONFIG_ENCRYPT_PASSWORD to match the password

If you want to use the alternative mode of encryption (where only values are encrypted), then change EF_CONFIG_ENCRYPT_TYPE to be sops

Then reload system config: sudo systemctl daemon-reload

Setting Up Initial Encryption

You must manually encrypt the config file for the first time.

For Default Encryption Mode

cd /etc/elastiflow
sudo age -e -R ./trapcoll/.age/public-age-keys.txt -o trapcoll.enc.yml trapcoll.yml
sudo mv trapcoll.enc.yml trapcoll.yml

For Value-Only Encryption Mode

If you have set EF_CONFIG_ENCRYPT_TYPE to sops, then you have to do the initial encryption of trapcoll.yml

cd /etc/elastiflow
sudo sops encrypt --age $(< ./trapcoll/.age/public-age-keys.txt) --input-type yaml --output-type yaml --output "trapcoll.yml.enc" trapcoll.yml
sudo mv trapcoll.yml.enc trapcoll.yml

Restart NetObserv

Restart NetObserv, and it will use the encrypted config file

sudo systemctl daemon-reload
sudo systemctl restart trapcoll

Editing Config Files

Using Default Encryption Mode

To edit an encrypted config file, you will need to use the age cli tool to decrypt first.

cd /etc/elastiflow
sudo age -d -o trapcoll.decrypted.yml -i ./trapcoll/.age/key.age ./trapcoll.yml

Then edit the contents of trapcoll.decrypted.yml

Once done, use age to encrypt again

cd /etc/elastiflow
sudo age -e -R ./trapcoll/.age/public-age-keys.txt -o trapcoll.yml trapcoll.decrypted.yml
sudo rm trapcoll.decrypted.yml

Then restart NetObserv

Using Value-Only Encryption Mode

To securely edit encrypted configuration files, you can use sops via the CLI:

SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/trapcoll/.age/public-age-keys.txt) \
SOPS_AGE_KEY_FILE=/etc/elastiflow/trapcoll/.age/key.age \
sudo --preserve-env=SOPS_AGE_RECIPIENTS --preserve-env=SOPS_AGE_KEY_FILE \
sops /etc/elastiflow/trapcoll.yml

This command will decrypt the file in memory and open with a cli text editor. By default, the editor used will be vim

To use another editor (like nano) instead of vim, change the EDITOR environment variable:

EDITOR=nano \
SOPS_AGE_RECIPIENTS=$(</etc/elastiflow/trapcoll/.age/public-age-keys.txt) \
SOPS_AGE_KEY_FILE=/etc/elastiflow/trapcoll/.age/key.age \
sudo --preserve-env=SOPS_AGE_RECIPIENTS --preserve-env=SOPS_AGE_KEY_FILE --preserve-env=EDITOR \
sops /etc/elastiflow/trapcoll.yml

Then restart NetObserv

Disabling File Encryption

Edit /etc/systemd/system/trapcoll.env and set EF_CONFIG_ENCRYPT_ENABLE=false

If using default encryption mode, use this command to decrypt config file:

cd /etc/elastiflow
sudo age -d -o trapcoll.decrypted.yml -i ./trapcoll/.age/key.age ./trapcoll.yml
sudo mv trapcoll.decrypted.yml trapcoll.yml

If using value-only encryption mode, use this command:

cd /etc/elastiflow
SOPS_AGE_KEY_FILE="/etc/elastiflow/trapcoll/.age/key.age" sudo --preserve-env=SOPS_AGE_KEY_FILE sudo --preserve-env=SOPS_AGE_KEY_FILE sops decrypt --input-type yaml --output-type yaml --output "trapcoll.yml.dec" "trapcoll.yml"
sudo mv trapcoll.yml.dec trapcoll.yml

PreviousConfiguration NextReceiving Traps

Last updated 3 months ago

Was this helpful?

Good morning

hashtagOverview

hashtagSet Up Encryption For Configuration Files

hashtagInstall System Dependencies

hashtagCreate Encryption Keys

hashtagEnable File Encryption

hashtagSetting Up Initial Encryption

hashtagRestart NetObserv

hashtagEditing Config Files

hashtagUsing Default Encryption Mode

hashtagUsing Value-Only Encryption Mode

hashtagDisabling File Encryption