Starting with 3.6 both Agent and Management Console allow encryption of vital data (like job access keys, object storage access keys, etc.) in their storage folder.
Agent attempts to encrypt sensitive data using existing security means provided by OS or hardware, but may require a passphrase to be set manually via environment variable. This usually happens when no security means like TPM or keychain is available, for example, on a cloud instance or inside a docker container.
Management Console never encrypts sensitive data by default and relies on OS security. Although it also allows to set passphrase manually for data encryption via environment variable.
- Set environment variable
RESILIO_MPASSWD
to some value. To customize the variable name, add the following section to the Console configuration file. Do this while MC is down, and be sure to preserve json format.
"security":
{"mpasswd_env":"preferred_variable_name"} - Ensure to store the value of the variable securely somewhere, since if it's lost there is no way to recover Management Console state.
- Restart your Management Console (it encrypts sensitive data on boot up).
- Set environment variable
RESILIO_KEY
to some value. In cluster setup (per this guide) be sure to use the same key for all cluster nodes. Otherwise the Agent won't be authorized on the MC after the cluster failover. - Restart agent service / daemon once done. Agent may show an error about inability to decrypt its data, it is expected.
- Approve the Agent if it asks for approval or just restart agent to clear the error.