By default, the following data is stored encrypted in the hybrid runtime plane:
- Key management system (KMS) data
- Key-value map (KVM) data
- Cache data
Data encryption does not require any special configuration on your part. However, if for some reason you want to use your own encryption keys (replacing the default ones) you can do so, as explained in this topic.
Encryption key scope
Encryption keys for KMS, KVM, and cache have scope. For example, KMS keys have organization scope. This means that the key is used to encrypt KMS data for the entire organization. The following table lists the scope for each type of key:
| Encryption key | Scope |
|---|---|
| KMS | Organization only |
| KVM |
Organization or environment
If a KVM policy
specifies |
| Cache | Environment only |
About the default encryption keys
By default, Apigee hybrid provides a set of Base64-encoded keys that are used to encrypt KVM, KMS, and cache data. The Apigee hybrid installer stores the keys in the runtime plane as Kubernetes Secrets, and uses them to encrypt your data with AES-128 standard encryption. The keys are under your control; the hybrid management plane is never aware of them at any time.
Changing the default encryption keys
Although not required, you can change any of the default encryption keys if you wish. To replace one or more default keys, follow these steps:
- Copy the following stanzas into your overrides file.
This configuration lets you change the KMS and KVM encryption keys
for the organization level and the KVM and cache encryption keys for the environment level:
defaults: org: kmsEncryptionKey: base64-encoded-key kvmEncryptionKey: base64-encoded-key env: kvmEncryptionKey: base64-encoded-key cacheEncryptionKey: base64-encoded-key
- Generate a new key for each key you wish to replace. Each key must be a Base64-encoded string that is exactly 16, 24, or 32 bytes long. See also How to create an encoded key.
- Replace the default keys with new ones. In this example, all of the default keys are
replaced with keys:
defaults: org: kmsEncryptionKey: "JVpTb1FwI0otUHo2RUdRN3pnVyQqVGlMSEFAJXYmb1c=" kvmEncryptionKey: "T3VkRGM1U3cpOFgtNk9fMnNZU2NaSVA3I1BtZWxkaUU=" env: kvmEncryptionKey: "Q3h6M3R6OWdBeipxTURfKjQwQVdtTng2dU5mODFHcyE=" cacheEncryptionKey: "b2NTVXdKKjBzN0NORF9XSm9tWFlYKGJ6NUhpNystJVI="
- Apply the overrides file to your cluster as follows:
- If you change KVM or Cache keys, update only the environment:
$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --env env_name
- If you change KMS keys, update both the org and environment:
$APIGEECTL_HOME/apigeectl apply -f overrides/overrides.yaml --env env_name --org org_name
- If you change KVM or Cache keys, update only the environment:
- Restart the
apigee-runtimeandapigee-martpods.
A note about backward compatibility
When you first install Apigee hybrid, default encryption keys are used. If you were to remove the encryption keys, you would effectively disable encryption and subsequent values would be stored unencrypted. If at a later time you enable encryption by providing keys, any existing unencrypted data remains unencrypted; however, any future data that is added will be encrypted. The system will continue working normally with the unencrypted data and the new encrypted data.
Also, note that you cannot later change the encryption keys once the runtime data is encrypted.
How to create an encoded key
A properly formatted Base-64-encoded key is required for KVM, KMS, and cache encryption. The key used for any of these purposes must be Base-64 encoded from a string that is 16, 24, or 32 bytes long, as explained below:
The following example command generates a suitable, randomly generated, 32 character, Base64-encoded string:
head -c 32 /dev/random | openssl base64