Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuration File Encryption

This topic includes an overview of configuration file encryption, setup information, and encryption configuration settings.

Overview

Collectors can encrypt config files using AGE encryption. NetObserv Flow uses environment variables to configure this encryption.

By default, encryption is off. Enabling it creates or reads existing keys, keeps the private key unencrypted, and encrypts the config file in place. To enable encryption with the default settings, add EF_CONFIG_ENCRYPT_ENABLE=true to your NetObserv Flow command line as follows:

If you enable encryption:

  • Azure VNet will also be encrypted in place, using the same key.

  • Public and private keys files can be shared between collections. For example: ?

  • You can use the same configuration for generating a support bundle. Files under the --support-bundle-config-dir will be decrypted in the support bundle.

Note: Unlike other collector options, you must specify the encryption settings directly in the environment. Keep the private key and its password secure, because losing them prevents decryption. Maintain a copy of the private key, and optionally store an unencrypted config file in a secure location.

NetObserv Flow Collector Configuration

You can configure your flow collectors with NetObserv Flow to encrypt your config files securely using AGE encryption. Use the following command to run the Unified Flow Collector (flowcoll) and specify the YAML configuration path.

By default, this YAML file is stored in plaintext. You can encrypt this file using one of two methods:

  • Encrypt the entire file using age encryption.

  • Encrypt only the value parts of each key: value line (and all comments), using the sops editor.

Getting Started

Environmental Dependencies

Setting up encrypted flow collection depends on the following environmental dependencies:

  • Ensure sops is installed in your local environment:

  • Ensure age is installed in your local environment to edit through CLI:

Setup

Start flowcoll using the following configurations during invocation:

Starting the flow collector this way:

  • Generates the password-protected age keys at the configured file paths.

  • Encrypts the YAML file specified with the --config option using those keys.

The PASSWORD is optional. It functions like the passphrase on an ssh private key to encrypt or decrypt the age private key.

Once encrypted with sops, the configuration file is updated in-place. The file will include encrypted values for logging settings, enrichment configurations (Maxmind ASN, Maxmind GeoIP, NetIntel, User-Defined Metadata), and other settings. For example:

The sops section contains encryption details, last modification date, MAC, unencrypted suffix, and version. For example:

Encryption Settings

EF_CONFIG_ENCRYPT_ENABLE

Indicates if the config file is encrypted.

  • Valid values: true, false
  • Default: false

EF_CONFIG_ENCRYPT_CREATE

If config file encryption is enabled, EF_CONFIG_ENCRYPT_ENABLEis true, this setting creates a public/private keypair if none exists. The keys are stored in the configured file paths. If key files already exist from previous NetObserv Flow runs, this setting does nothing, and the files won't be regenerated or overwritten.

  • Valid values: true, false
  • Default: true

EF_CONFIG_ENCRYPT_TYPE

If config file encryption is enabled (EF_CONFIG_ENCRYPT_ENABLEset to true), specify the file encryption type.

  • sops: Encrypts configuration values and comments while keeping the file structure intact.

  • standard: Encrypts the entire file using AGE encryption.

  • Valid values: sops, standard
  • Default: standard
Note: The directory (/etc/juniper/flowcoll/.age) must exist. NetObserv Flow does not create the directory.

EF_CONFIG_ENCRYPT_PRIVATE_KEY_FILE_PATH

Sets the file path location of the private key file. If used with EF_CONFIG_ENCRYPT_CREATE, then the private key used in the keystore is generated at the following location.

  • The default is: /etc/juniper/flowcoll/.age/key.age

EF_CONFIG_ENCRYPT_PUBLIC_KEY_FILE_PATH

Sets the file path location of the public key file. If used with EF_CONFIG_ENCRYPT_CREATE, then the public key used in the keystore is generated at the following location.

  • The default is: /etc/elastiflow/trapcoll/.age/public-age-keys.txt

EF_CONFIG_ENCRYPT_PASSWORD

The specified file can be encrypted for added security, similar to using a passphrase on an SSH private key. When combined with EF_CONFIG_ENCRYPT_CREATE, the keystore uses a password-protected private key. The same password decrypts the file and runs NetObserv Flow.

  • Default: none

EF_CONFIG_ENCRYPT_PUBLIC_KEY

Use this setting instead of EF_CONFIG_ENCRYPT_PUBLIC_KEY_FILE_PATH to specify the public key directly. Do not use this parameter with EF_CONFIG_ENCRYPT_CREATE.

  • Default: none
  • Example: age164x50zgnmcesqglr25vr9ypje7lx3tkad4vwavcjpuh083lug9tqku8s74

Editing Encrypted Files

Note:

Do not manually edit encrypted files outside the sops CLI editor. Use sops through the CLI to securely edit device configuration files.

To securely edit device configuration files:

For a non-password-protected key, set the following variables:

  • SOPS_AGE_RECIPIENTS=$(</etc/juniper/flowcoll/.age/public-age-keys.txt)

    SOPS_AGE_KEY_FILE=/etc/juniper/flowcoll/.age/key.age

In age, "recipient" is equivalent to "public key."

For a password-protected key, use:

  • SOPS_AGE_RECIPIENTS=$(</etc/juniper/flowcoll/.age/public-age-keys.txt)

  • SOPS_AGE_KEY=$(age -d /etc/elastiflow/flowcoll/.age/key.age)

The age -dcommand prompts for the password at the terminal.

These commands decrypt the file in memory and open it with a text editor. By default, the editor is vim. To use nano, instead, set the EDITOR environmental variable as follows:

  • EDITOR=nano

  • SOPS_AGE_RECIPIENTS=$(</etc/juniper/flowcoll/.age/public-age-keys.txt)

  • SOPS_AGE_KEY=$(age -d /etc/juniper/flowcoll/.age/key.age)

After editing, save and exit to update the encrypted file on the disk.