Key encryption

Apigee Hybrid supports the encryption of these runtime plane entities:

  • Cache data
  • Key-value map (KVM) data
  • Key management system (KMS) data

This topic explains how to enable encryption of these entities in the Hybrid runtime configuration.

Overview

To enable encryption, you must provide secret keys that you generate. The keys allow Hybrid to encrypt cache, KVM, and KMS data. Using the keys you provide, Hybrid generates keys that are stored in the runtime plane as Kubernetes Secrets. The keys are under your control; the Hybrid management plane is never aware of them at any time.

Backward compatibility: If you do not provide encryption keys when you initially install Hybrid, entities are not encrypted when they are stored in the runtime plane. If at a later time you enable encryption by providing keys, exiting data remains unencrypted; however, any future data that is added will be encrypted. The system will continue working normally with the unencrypted data and the new encrypted data.

Enabling encryption

To enable encryption of KMS, cache, and KVM data:

  1. Generate an encryption key. See Sample key encryption code for details.
  2. Add the following encryption key paths to overrides.yaml:
  3. org: your_org_name
    envs:
      - name: env_name
        hostAlias: alias
        sslKeyPath: path_to_ssl_key_file
        sslCertPath: path_to_cert_file
        kmsEncryptionKeyPath: path_to_kms_encryption_key_file
        cacheEncryptionKeyPath: path_to_cache_encryption_key_file
        kvmEncryptionKeyPath: path_to_kvm_encryption_key_file
    

    Where:

    • kmsEncryptionKeyPath - The path to a text file containing your generated key for KMS encryption.
    • cacheEncryptionKeyPath - The path to a text file containing your generated key for Cache encryption.
    • kvmEncryptionKeyPath - The path to a text file containing your generated key for KVM encryption.

    Example:

    org: hybrid
    envs:
      - name: test
        hostAlias: foo-test.mydomain.net
        sslCertPath: /Users/myhome/ingress.crt
        sslKeyPath: /Users/myhome/ingress.key
        kmsEncryptionKeyPath: /Users/myhome/enc_kms.txt
        cacheEncryptionKeyPath: /Users/myhome/enc_cache.txt
        kvmEncryptionKeyPath: /Users/myhome/enc_kvm.txt
  4. Apply the overrides file to your cluster.

Sample key encryption code

Below is sample Java code you can use to generate secret keys for your Hybrid configuration.

import javax.crypto.KeyGenerator;
import java.security.SecureRandom;
import java.util.Base64;
import java.security.NoSuchAlgorithmException;
import javax.crypto.SecretKey;

public class CreateSecretKey {

    public static void main(String[] args) {

        KeyGenerator generator = null;
        try {
            generator = KeyGenerator.getInstance("AES");
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        generator.init(new SecureRandom());
        SecretKey encKey = generator.generateKey();
        System.out.println("Encoded key: " + encKey);
        String encryptionKey = Base64.getEncoder().encodeToString(encKey.getEncoded());
        System.out.println("Base64 encoded key: " + encryptionKey);
    }
}