Configuring System Secrets
By means of the REST API, System Secrets can be configured, and the current configuration can be retrieved.
Description
Configures system secrets; which comprises the master password, data keys, key storage, and the location of key-control scripts.
The Full Admin, Local User Security Admin, or External User Security Admin role is required.
Curl Syntax
curl -X GET http://<ip-address-or-hostname>:8091/nodes/self/secretsManagement/encryptionService -u <username>:<password> curl -X POST http://<ip-address-or-hostname>:8091/node/controller/secretsManagement/encryptionService -u <username>:<password> -H <header> [-d <option>=<value>]*
The Content-Type
can be either application/json
or application/x-www-form-urlencoded
.
(Note that application/x-www-form-urlencoded
can be omitted in curl commands, since used by default.)
Each option
and associated value
is described below.
-
keyEncrypted
. Whether data keys should be encrypted by means of the master password. The value can be eithertrue
(the default) orfalse
. -
keyPath
. Specifies whether the data keys are stored at the default or at a custom location. The value can be eitherauto
(which is the default) orcustom
. If the value isauto
, the default location is used. If the value iscustom
, the path provided bycustomKeyPath
is used. Note that this option is used only ifkeyStorageType
has the valuefile
. -
customKeyPath
. A file-path that specifies a custom location at which the data keys are stored. This file-path is used only if the value ofkeyPath
iscustom
. -
keyStorageType
. The value can befile
(which is the default) orscript
. If the value isfile
, the system stores the data keys in a file. If the value isscript
, a user-specified script is called, when keys are to be written, read, or deleted. These scripts must be specified bywriteCmd
,readCmd
, anddeleteCmd
, respectively. -
passwordSource
. The value can beenv
(which is the default) orscript
. If the value isenv
, the master password is read from the environment variable specified bypasswordEnv
. If the value isscript
, the master password is provided by the script specified bypasswordCmd
. -
passwordEnv
. The name of the environment variable from which the master password is read (provided that the value ofpasswordSource
isenv
). By default, the value ofpasswordEnv
isCB_MASTER_PASSWORD
. -
passwordCmd
. The script to be executed for provision of the master password. This script is only executed when the value ofpasswordSource
isscript
.This script is executed when the node is started. It may also be executed in the event either of a node-reconfiguration or of an anomaly. The script must exit with status code
0
— otherwise, an error occurs. The script is expected to write the master password to standard output. -
passwordState
. Shows the state of the encryption-service master password and data keys. The value can be:-
default
. The encryption password is not set. -
user_configured
. The master password is set -
password_not_used
. The data keys are not encrypted.
This is a read-only setting, and so cannot be used with the
POST
method. -
-
readCmd
. The script to be executed for the reading of data keys (when the value ofkeyStorageType
isscript
). -
writeCmd
. The script to be executed for the writing of data keys (when the value ofkeyStorageType
isscript
). -
deleteCmd
. The script to be executed for the deletion of data keys (when the value ofkeyStorageType
isscript
).
Responses
For GET
and POST
, success returns 200 OK
, and an object containing the current settings.
Failure to authenticate returns 403 Bad Request
, and an error message such as the following:
{ "message": "Forbidden. User needs the following permissions", "permissions": [ "cluster.admin.security!write" ] }
An incorrectly expressed URI returns 404 Object Not Found
.
An incorrectly formatted payload returns 400 Bad Request
.
If an invalid or inaccessible script is specified for reading the master password for encryption-key handling, the call fails with 400 Bad Request
, and a corresponding error message.
Examples
The following examples demonstrate different ways in which secrets management can be configured.
Retrieving the Current Configuration
The following command retrieves the current configuration. Output is piped to the jq command, to facilitate readability.
curl -v -X GET http://localhost:8091/nodes/self/secretsManagement/encryptionService \ -u Administrator:password | jq '.'
Output takes the following form:
{ "keyEncrypted": true, "keyPath": "auto", "keyStorageType": "file", "passwordEnv": "CB_MASTER_PASSWORD", "passwordSource": "env", "passwordState": "default" }
This output corresponds to the default settings.
Specifying a Custom Script for Obtaining the Master Pasword
The following call specifies, as the value of passwordCmd
, a path to a custom script, and provides the script’s required arguments.
curl -v -X POST http://localhost:8091/node/controller/secretsManagement/encryptionService \ -u Administrator:password \ -H "Content-Type:application/json" -s -d "$(cat)" | jq { "keyEncrypted": true, "passwordSource": "script", "passwordCmd": "/home/vagrant/pwdScript.sh param1 param2" } // Exit with ^D
If successful, the call returns 200 OK
and the following object, which confirms the new configuration.
{ "keyEncrypted": true, "keyPath": "auto", "keyStorageType": "file", "passwordCmd": "/home/vagrant/pwdScript.sh param1 param2", "passwordSource": "script", "passwordState": "user_configured" }
Specifying Custom Scripts for Handling data keys
The following call specifies custom scripts for the reading, writing, and deleting of data keys:
curl -v -X POST http://localhost:8091/node/controller/secretsManagement/encryptionService \ -u Administrator:password \ -H "Content-Type:application/json" -s -d "$(cat)" | jq { "keyStorageType": "script", "readCmd": "/home/vagrant/readScript.sh", "writeCmd": "/home/vagrant/writeScript.sh", "deleteCmd": "/home/vagrant/deleteScript.sh" } // Exit with ^D
If the command is successful, output of the following form confirms the change in configuration:
{ "deleteCmd": "/home/vagrant/deleteScript.sh", "keyStorageType": "script", "passwordState": "password_not_used", "readCmd": "/home/vagrant/readScript.sh", "writeCmd": "/home/vagrant/writeScript.sh" }
Re-Establishing the Default Configuration
The following call re-establishes the default configuration.
curl -v -X POST http://localhost:8091/node/controller/secretsManagement/encryptionService \ -u Administrator:password \ -H "Content-Type:application/json" -s -d "$(cat)" | jq { "keyStorageType": "file", "keyEncrypted": true, "passwordSource": "env", "passwordEnv": "CB_MASTER_PASSWORD" } // Exit with ^D
If successful, the call returns 200 OK
, and the following object, which confirms restoration of the default settings:
{ "keyEncrypted": true, "keyPath": "auto", "keyStorageType": "file", "passwordEnv": "CB_MASTER_PASSWORD", "passwordSource": "env", "passwordState": "default" }
Designing Scripts for Handling data keys
Requirements for the behavior of customer scripts for reading, writing, and deleting data keys are described below. Note that the master password is not used, when these commands are executed.
Scripts for Writing data keys
A custom script for writing data keys must accept at least one, and at most two arguments. The first (or only) argument is always the main key to be used. If a second argument is provided, this is the backup key, which is only used when the node rotates data keys. If two keys are specified, they should be separated by a space.
The following command would establish only the main key:
/home/vagrant/writeScript.sh BVegHS0+3jg/Ffn0inhJq6tuJRcOjnQNpBpyy6Cf45w=
The following command would establish both the main and the backup key:
/home/vagrant/writeScript.sh BVegHS0+3jg/Ffn0inhJq6tuJRcOjnQNpBpyy6Cf45w= \ UtCwS6mKnXJS1r76Rb6oDyITWi/XIuQia5/rcSiZvFY="
The script must exit with code 0
.
Scripts for Reading Data Keys
A custom script for reading data keys must return between zero and two keys, as follows.
If the custom script that is the value of writeScript
:
-
Has not yet been used, the script for reading exits with code
0
, and returns no key. For example:$ /home/vagrant/readScript.sh $
-
Has written only one key (the main key), the script for reading exits with code
0
, and returns the main key. For example:$ /home/vagrant/readScript.sh BVegHS0+3jg/Ffn0inhJq6tuJRcOjnQNpBpyy6Cf45w= $
-
Has written two keys (the main and backup keys), the script for reading exits with code
0
, and returns both keys. For example:$ /home/vagrant/readScript.sh BVegHS0+3jg/Ffn0inhJq6tuJRcOjnQNpBpyy6Cf45w= UtCwS6mKnXJS1r76Rb6oDyITWi/XIuQia5/rcSiZvFY=" $
Note that the encryption-key format is opaque, and can only be created by the instance of Couchbase Server running on the node.
See Also
An overview of system secrets and their management, including an example of entering the master pasword at the system prompt, is provided in Manage System Secrets.