Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[doc][yba] KMS and expiring tokens #23754

Merged
merged 4 commits into from
Sep 6, 2024
Merged

[doc][yba] KMS and expiring tokens #23754

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f3a8ab4
KMS and expiring tokens
ddhodge Sep 2, 2024
642116c
review comment
ddhodge Sep 6, 2024
f5d15ff
backport
ddhodge Sep 6, 2024
87e1f0b
DOC-465
ddhodge Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions docs/content/preview/yugabyte-platform/security/create-kms-config/hashicorp-kms.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,24 +188,36 @@ You can create a new KMS configuration that uses HashiCorp Vault as follows:

1. Optionally, to confirm that the information is correct, click **Show details**. Note that sensitive configuration values are displayed partially masked.

## Modify a KMS configuration
## Replace an expiring token

You can modify an existing KMS configuration as follows:
If a KMS configuration uses a token for authentication, and that token cannot be infinitely renewed, you should replace the token before it expires (that is, reaches its TTL). You can also create a new policy, or switch to using an AppRole.

1. Navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.
To replace a token, you create a new token for the existing policy in Vault, and add it to your KMS configuration in YugabyteDB Anywhere as follows:

1. In Hashicorp Vault, create a token for your existing policy. For example:

```shell
vault token create -no-default-policy -policy=trx
```

If you want to change the policy, see the steps in [Configure Hashicorp Vault](#configure-hashicorp-vault).

1. In YugabyteDB Anywhere, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations.

1. Find the KMS configuration you want to modify and click its corresponding **Actions > Edit Configuration**.

1. Find the configuration you want to modify and click its corresponding **Actions > Edit Configuration**.
1. Set **Authentication Type** to **Token** and enter the token you obtained from the vault.

1. Provide new values for the **Vault Address** and **Secret Token** fields.
To switch to using an AppRole, set **Authentication Type** to **AppRole** and enter the credentials as appropriate.

1. Click **Save**.

1. Optionally, to confirm that the information is correct, click **Show details** or **Actions > Details**.
To confirm that the information is correct, click **Show details** or **Actions > Details**.

## Delete a KMS configuration

{{<note title="Note">}}
Without a KMS configuration, you would longer be able to decrypt universe keys that were encrypted using the master key in the KMS configuration. Even after a key is rotated out of service, it may still be needed to decrypt data in backups and snapshots that were created while it was active. For this reason, you can only delete a KMS configuration if it has never been used by any universes.
{{</note>}}

To delete a KMS configuration, click its corresponding **Actions > Delete Configuration**.
To delete a KMS configuration, navigate to **Integrations > Security > Encryption At Rest** to open a list of existing configurations and click its corresponding **Actions > Delete Configuration**.