6a59d34bb1
Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
392 lines
19 KiB
HTML
392 lines
19 KiB
HTML
<!DOCTYPE HTML>
|
|
<html lang="en" class="ayu sidebar-visible" dir="ltr">
|
|
<head>
|
|
<!-- Book generated using mdBook -->
|
|
<meta charset="UTF-8">
|
|
<title>Config Encryption Quick Reference - Provisioning Platform Documentation</title>
|
|
|
|
|
|
<!-- Custom HTML head -->
|
|
|
|
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<meta name="theme-color" content="#ffffff">
|
|
|
|
<link rel="icon" href="../favicon.svg">
|
|
<link rel="shortcut icon" href="../favicon.png">
|
|
<link rel="stylesheet" href="../css/variables.css">
|
|
<link rel="stylesheet" href="../css/general.css">
|
|
<link rel="stylesheet" href="../css/chrome.css">
|
|
<link rel="stylesheet" href="../css/print.css" media="print">
|
|
|
|
<!-- Fonts -->
|
|
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
|
|
<link rel="stylesheet" href="../fonts/fonts.css">
|
|
|
|
<!-- Highlight.js Stylesheets -->
|
|
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
|
|
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
|
|
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
|
|
|
|
<!-- Custom theme stylesheets -->
|
|
|
|
|
|
<!-- Provide site root and default themes to javascript -->
|
|
<script>
|
|
const path_to_root = "../";
|
|
const default_light_theme = "ayu";
|
|
const default_dark_theme = "navy";
|
|
</script>
|
|
<!-- Start loading toc.js asap -->
|
|
<script src="../toc.js"></script>
|
|
</head>
|
|
<body>
|
|
<div id="mdbook-help-container">
|
|
<div id="mdbook-help-popup">
|
|
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
|
|
<div>
|
|
<p>Press <kbd>←</kbd> or <kbd>→</kbd> to navigate between chapters</p>
|
|
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
|
|
<p>Press <kbd>?</kbd> to show this help</p>
|
|
<p>Press <kbd>Esc</kbd> to hide this help</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div id="body-container">
|
|
<!-- Work around some values being stored in localStorage wrapped in quotes -->
|
|
<script>
|
|
try {
|
|
let theme = localStorage.getItem('mdbook-theme');
|
|
let sidebar = localStorage.getItem('mdbook-sidebar');
|
|
|
|
if (theme.startsWith('"') && theme.endsWith('"')) {
|
|
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
|
|
}
|
|
|
|
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
|
|
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
|
|
}
|
|
} catch (e) { }
|
|
</script>
|
|
|
|
<!-- Set the theme before any content is loaded, prevents flash -->
|
|
<script>
|
|
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
|
|
let theme;
|
|
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
|
|
if (theme === null || theme === undefined) { theme = default_theme; }
|
|
const html = document.documentElement;
|
|
html.classList.remove('ayu')
|
|
html.classList.add(theme);
|
|
html.classList.add("js");
|
|
</script>
|
|
|
|
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
|
|
|
|
<!-- Hide / unhide sidebar before it is displayed -->
|
|
<script>
|
|
let sidebar = null;
|
|
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
|
|
if (document.body.clientWidth >= 1080) {
|
|
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
|
|
sidebar = sidebar || 'visible';
|
|
} else {
|
|
sidebar = 'hidden';
|
|
}
|
|
sidebar_toggle.checked = sidebar === 'visible';
|
|
html.classList.remove('sidebar-visible');
|
|
html.classList.add("sidebar-" + sidebar);
|
|
</script>
|
|
|
|
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
|
|
<!-- populated by js -->
|
|
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
|
|
<noscript>
|
|
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
|
|
</noscript>
|
|
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
|
|
<div class="sidebar-resize-indicator"></div>
|
|
</div>
|
|
</nav>
|
|
|
|
<div id="page-wrapper" class="page-wrapper">
|
|
|
|
<div class="page">
|
|
<div id="menu-bar-hover-placeholder"></div>
|
|
<div id="menu-bar" class="menu-bar sticky">
|
|
<div class="left-buttons">
|
|
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
|
|
<i class="fa fa-bars"></i>
|
|
</label>
|
|
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
|
|
<i class="fa fa-paint-brush"></i>
|
|
</button>
|
|
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
|
|
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
|
|
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
|
|
</ul>
|
|
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
|
|
<i class="fa fa-search"></i>
|
|
</button>
|
|
</div>
|
|
|
|
<h1 class="menu-title">Provisioning Platform Documentation</h1>
|
|
|
|
<div class="right-buttons">
|
|
<a href="../print.html" title="Print this book" aria-label="Print this book">
|
|
<i id="print-button" class="fa fa-print"></i>
|
|
</a>
|
|
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
|
|
<i id="git-repository-button" class="fa fa-github"></i>
|
|
</a>
|
|
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/CONFIG_ENCRYPTION_QUICKREF.md" title="Suggest an edit" aria-label="Suggest an edit">
|
|
<i id="git-edit-button" class="fa fa-edit"></i>
|
|
</a>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<div id="search-wrapper" class="hidden">
|
|
<form id="searchbar-outer" class="searchbar-outer">
|
|
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
|
|
</form>
|
|
<div id="searchresults-outer" class="searchresults-outer hidden">
|
|
<div id="searchresults-header" class="searchresults-header"></div>
|
|
<ul id="searchresults">
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
|
|
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
|
|
<script>
|
|
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
|
|
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
|
|
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
|
|
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
|
|
});
|
|
</script>
|
|
|
|
<div id="content" class="content">
|
|
<main>
|
|
<h1 id="configuration-encryption-quick-reference"><a class="header" href="#configuration-encryption-quick-reference">Configuration Encryption Quick Reference</a></h1>
|
|
<h2 id="setup-one-time"><a class="header" href="#setup-one-time">Setup (One-time)</a></h2>
|
|
<pre><code class="language-bash"># 1. Initialize encryption
|
|
provisioning config init-encryption --kms age
|
|
|
|
# 2. Set environment variables (add to ~/.zshrc or ~/.bashrc)
|
|
export SOPS_AGE_RECIPIENTS="age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
|
|
export PROVISIONING_KAGE="$HOME/.config/sops/age/keys.txt"
|
|
|
|
# 3. Validate setup
|
|
provisioning config validate-encryption
|
|
</code></pre>
|
|
<h2 id="common-commands"><a class="header" href="#common-commands">Common Commands</a></h2>
|
|
<div class="table-wrapper"><table><thead><tr><th>Task</th><th>Command</th></tr></thead><tbody>
|
|
<tr><td><strong>Encrypt file</strong></td><td><code>provisioning config encrypt secrets.yaml --in-place</code></td></tr>
|
|
<tr><td><strong>Decrypt file</strong></td><td><code>provisioning config decrypt secrets.enc.yaml</code></td></tr>
|
|
<tr><td><strong>Edit encrypted</strong></td><td><code>provisioning config edit-secure secrets.enc.yaml</code></td></tr>
|
|
<tr><td><strong>Check if encrypted</strong></td><td><code>provisioning config is-encrypted secrets.yaml</code></td></tr>
|
|
<tr><td><strong>Scan for unencrypted</strong></td><td><code>provisioning config scan-sensitive workspace --recursive</code></td></tr>
|
|
<tr><td><strong>Encrypt all sensitive</strong></td><td><code>provisioning config encrypt-all workspace/config --kms age</code></td></tr>
|
|
<tr><td><strong>Validate setup</strong></td><td><code>provisioning config validate-encryption</code></td></tr>
|
|
<tr><td><strong>Show encryption info</strong></td><td><code>provisioning config encryption-info secrets.yaml</code></td></tr>
|
|
</tbody></table>
|
|
</div>
|
|
<h2 id="file-naming-conventions"><a class="header" href="#file-naming-conventions">File Naming Conventions</a></h2>
|
|
<p>Automatically encrypted by SOPS:</p>
|
|
<ul>
|
|
<li><code>workspace/*/config/secure.yaml</code> ← Auto-encrypted</li>
|
|
<li><code>*.enc.yaml</code> ← Auto-encrypted</li>
|
|
<li><code>*.enc.yml</code> ← Auto-encrypted</li>
|
|
<li><code>*.enc.toml</code> ← Auto-encrypted</li>
|
|
<li><code>workspace/*/config/providers/*credentials*.toml</code> ← Auto-encrypted</li>
|
|
</ul>
|
|
<h2 id="quick-workflow"><a class="header" href="#quick-workflow">Quick Workflow</a></h2>
|
|
<pre><code class="language-bash"># Create config with secrets
|
|
cat > workspace/config/secure.yaml <<EOF
|
|
database:
|
|
password: supersecret
|
|
api_key: secret_key_123
|
|
EOF
|
|
|
|
# Encrypt in-place
|
|
provisioning config encrypt workspace/config/secure.yaml --in-place
|
|
|
|
# Verify encrypted
|
|
provisioning config is-encrypted workspace/config/secure.yaml
|
|
|
|
# Edit securely (decrypt -> edit -> re-encrypt)
|
|
provisioning config edit-secure workspace/config/secure.yaml
|
|
|
|
# Configs are auto-decrypted when loaded
|
|
provisioning env # Automatically decrypts secure.yaml
|
|
</code></pre>
|
|
<h2 id="kms-backends"><a class="header" href="#kms-backends">KMS Backends</a></h2>
|
|
<div class="table-wrapper"><table><thead><tr><th>Backend</th><th>Use Case</th><th>Setup Command</th></tr></thead><tbody>
|
|
<tr><td><strong>Age</strong></td><td>Development, simple setup</td><td><code>provisioning config init-encryption --kms age</code></td></tr>
|
|
<tr><td><strong>AWS KMS</strong></td><td>Production, AWS environments</td><td>Configure in <code>.sops.yaml</code></td></tr>
|
|
<tr><td><strong>Vault</strong></td><td>Enterprise, dynamic secrets</td><td>Set <code>VAULT_ADDR</code> and <code>VAULT_TOKEN</code></td></tr>
|
|
<tr><td><strong>Cosmian</strong></td><td>Confidential computing</td><td>Configure in <code>config.toml</code></td></tr>
|
|
</tbody></table>
|
|
</div>
|
|
<h2 id="security-checklist"><a class="header" href="#security-checklist">Security Checklist</a></h2>
|
|
<ul>
|
|
<li>✅ Encrypt all files with passwords, API keys, secrets</li>
|
|
<li>✅ Never commit unencrypted secrets to git</li>
|
|
<li>✅ Set file permissions: <code>chmod 600 ~/.config/sops/age/keys.txt</code></li>
|
|
<li>✅ Add plaintext files to <code>.gitignore</code>: <code>*.dec.yaml</code>, <code>secrets.yaml</code></li>
|
|
<li>✅ Regular key rotation (quarterly for production)</li>
|
|
<li>✅ Separate keys per environment (dev/staging/prod)</li>
|
|
<li>✅ Backup Age keys securely (encrypted backup)</li>
|
|
</ul>
|
|
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
|
|
<div class="table-wrapper"><table><thead><tr><th>Problem</th><th>Solution</th></tr></thead><tbody>
|
|
<tr><td><code>SOPS binary not found</code></td><td><code>brew install sops</code></td></tr>
|
|
<tr><td><code>Age key file not found</code></td><td><code>provisioning config init-encryption --kms age</code></td></tr>
|
|
<tr><td><code>SOPS_AGE_RECIPIENTS not set</code></td><td><code>export SOPS_AGE_RECIPIENTS="age1..."</code></td></tr>
|
|
<tr><td><code>Decryption failed</code></td><td>Check key file: <code>provisioning config validate-encryption</code></td></tr>
|
|
<tr><td><code>AWS KMS Access Denied</code></td><td>Verify IAM permissions: <code>aws sts get-caller-identity</code></td></tr>
|
|
</tbody></table>
|
|
</div>
|
|
<h2 id="testing"><a class="header" href="#testing">Testing</a></h2>
|
|
<pre><code class="language-bash"># Run all encryption tests
|
|
nu provisioning/core/nulib/lib_provisioning/config/encryption_tests.nu
|
|
|
|
# Run specific test
|
|
nu provisioning/core/nulib/lib_provisioning/config/encryption_tests.nu --test roundtrip
|
|
|
|
# Test full workflow
|
|
nu provisioning/core/nulib/lib_provisioning/config/encryption_tests.nu test-full-encryption-workflow
|
|
|
|
# Test KMS backend
|
|
use lib_provisioning/kms/client.nu
|
|
kms-test --backend age
|
|
</code></pre>
|
|
<h2 id="integration"><a class="header" href="#integration">Integration</a></h2>
|
|
<p>Configs are <strong>automatically decrypted</strong> when loaded:</p>
|
|
<pre><code class="language-nushell"># Nushell code - encryption is transparent
|
|
use lib_provisioning/config/loader.nu
|
|
|
|
# Auto-decrypts encrypted files in memory
|
|
let config = (load-provisioning-config)
|
|
|
|
# Access secrets normally
|
|
let db_password = ($config | get database.password)
|
|
</code></pre>
|
|
<h2 id="emergency-key-recovery"><a class="header" href="#emergency-key-recovery">Emergency Key Recovery</a></h2>
|
|
<p>If you lose your Age key:</p>
|
|
<ol>
|
|
<li><strong>Check backups</strong>: <code>~/.config/sops/age/keys.txt.backup</code></li>
|
|
<li><strong>Check other systems</strong>: Keys might be on other dev machines</li>
|
|
<li><strong>Contact team</strong>: Team members with access can re-encrypt for you</li>
|
|
<li><strong>Rotate secrets</strong>: If keys are lost, rotate all secrets</li>
|
|
</ol>
|
|
<h2 id="advanced"><a class="header" href="#advanced">Advanced</a></h2>
|
|
<h3 id="multiple-recipients-team-access"><a class="header" href="#multiple-recipients-team-access">Multiple Recipients (Team Access)</a></h3>
|
|
<pre><code class="language-yaml"># .sops.yaml
|
|
creation_rules:
|
|
- path_regex: .*\.enc\.yaml$
|
|
age: >-
|
|
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p,
|
|
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q
|
|
</code></pre>
|
|
<h3 id="key-rotation"><a class="header" href="#key-rotation">Key Rotation</a></h3>
|
|
<pre><code class="language-bash"># Generate new key
|
|
age-keygen -o ~/.config/sops/age/keys-new.txt
|
|
|
|
# Update .sops.yaml with new recipient
|
|
|
|
# Rotate keys for file
|
|
provisioning config rotate-keys workspace/config/secure.yaml <new-key-id>
|
|
</code></pre>
|
|
<h3 id="scan-and-encrypt-all"><a class="header" href="#scan-and-encrypt-all">Scan and Encrypt All</a></h3>
|
|
<pre><code class="language-bash"># Find all unencrypted sensitive configs
|
|
provisioning config scan-sensitive workspace --recursive
|
|
|
|
# Encrypt them all
|
|
provisioning config encrypt-all workspace --kms age --recursive
|
|
|
|
# Verify
|
|
provisioning config scan-sensitive workspace --recursive
|
|
</code></pre>
|
|
<h2 id="documentation"><a class="header" href="#documentation">Documentation</a></h2>
|
|
<ul>
|
|
<li><strong>Full Guide</strong>: <code>docs/user/CONFIG_ENCRYPTION_GUIDE.md</code></li>
|
|
<li><strong>SOPS Docs</strong>: https://github.com/mozilla/sops</li>
|
|
<li><strong>Age Docs</strong>: https://age-encryption.org/</li>
|
|
</ul>
|
|
<hr />
|
|
<p><strong>Last Updated</strong>: 2025-10-08</p>
|
|
|
|
</main>
|
|
|
|
<nav class="nav-wrapper" aria-label="Page navigation">
|
|
<!-- Mobile navigation buttons -->
|
|
<a rel="prev" href="../user/CONFIG_ENCRYPTION_GUIDE.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
|
|
<i class="fa fa-angle-left"></i>
|
|
</a>
|
|
|
|
<a rel="next prefetch" href="../user/DYNAMIC_SECRETS_QUICK_REFERENCE.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
|
|
<div style="clear: both"></div>
|
|
</nav>
|
|
</div>
|
|
</div>
|
|
|
|
<nav class="nav-wide-wrapper" aria-label="Page navigation">
|
|
<a rel="prev" href="../user/CONFIG_ENCRYPTION_GUIDE.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
|
|
<i class="fa fa-angle-left"></i>
|
|
</a>
|
|
|
|
<a rel="next prefetch" href="../user/DYNAMIC_SECRETS_QUICK_REFERENCE.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
|
|
<i class="fa fa-angle-right"></i>
|
|
</a>
|
|
</nav>
|
|
|
|
</div>
|
|
|
|
<!-- Livereload script (if served using the cli tool) -->
|
|
<script>
|
|
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
|
|
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
|
|
const socket = new WebSocket(wsAddress);
|
|
socket.onmessage = function (event) {
|
|
if (event.data === "reload") {
|
|
socket.close();
|
|
location.reload();
|
|
}
|
|
};
|
|
|
|
window.onbeforeunload = function() {
|
|
socket.close();
|
|
}
|
|
</script>
|
|
|
|
|
|
|
|
<script>
|
|
window.playground_copyable = true;
|
|
</script>
|
|
|
|
|
|
<script src="../elasticlunr.min.js"></script>
|
|
<script src="../mark.min.js"></script>
|
|
<script src="../searcher.js"></script>
|
|
|
|
<script src="../clipboard.min.js"></script>
|
|
<script src="../highlight.js"></script>
|
|
<script src="../book.js"></script>
|
|
|
|
<!-- Custom JS scripts -->
|
|
|
|
|
|
</div>
|
|
</body>
|
|
</html>
|