Generate System Encryption Keys

On Linux

The encryption-keys are used to encrypt the system passwords configured in the datavault builder. As those will be stored on the processing database, this prevents, that everyone having direct access onto the database can read the passwords in cleartext. Here are some possibilities for the creation of the encryption keys.

0. Possible requirement: Entropy pool

On a server, you probably need an entropy pool generator, on a client you can just move the mouse. To install an entropy pool generator:

  • RHEL / CentOS:

    sudo yum install rng-tools
    sudo rngd -r /dev/urandom
    
  • Ubuntu / Debian:

    sudo apt-get install rng-tools
    sudo rngd -r /dev/urandom
    

1. Generate the keys

Now follow the gpg instructions to generate new keys.

  • RHEL 7 / CentOS 7 / Ubuntu 16.04:

    gpg --gen-key  (select RSA/RSA, 4096 bits)
    
  • Ubuntu 18.04:

    gpg --full-generate-key  (select RSA/RSA, 4096 bits)
    

2. Check the list of generated signatures

List all existing signatures to get the ID of the key you would like to export from the list. (should be something like 906D6CC7116E90F277A23B534A2F176B19BD4390). e.g.:

gpg --list-signatures

3. Export everything to files

Store the generated keys and the used passwords in files, so they can be used as docker secrets.

gpg -a --export YOUR_KEY > secrets/systems_password_public_key.txt
gpg -a --export-secret-keys YOUR_KEY > secrets/systems_password_private_key.txt
echo YOUR_PASSWORD > secrets/systems_password_private_key_password.txt

Sample:

gpg -a --export 906D6CC7116E90F277A23B534A2F176B19BD4390 > secrets/systems_password_public_key.txt
gpg -a --export-secret-keys 906D6CC7116E90F277A23B534A2F176B19BD4390 > secrets/systems_password_private_key.txt
echo ng74na7ub247 > secrets/systems_password_private_key_password.txt