Storing secrets
Secrets for connections and capabilities are stored solely on the Edge site. While at rest, secrets are using envelope encryption where the secret is encrypted by a key, which on its turn is encrypted by another key.
The Edge native encryption mechanism is based on two RSA key pairs. They are stored in the following places:
| Keys | DIC server | Edge server | Purpose |
|---|---|---|---|
| Red public key | Yes | No | Used to encrypt credentials. |
| Red private key | Yes (encrypted using public blue key) | No | Used to decrypt credentials |
| Blue public key | Yes | Yes | Used to encrypt red private keys. |
| Blue private key | No | Yes | Used to decrypt red private key. |
The blue key pair is stored as a Kubernetes secret on the Edgeserver so it undergoes a native K3S encryption as described here.
An Edge site owns the blue key pair, with the blue private key stored on Edge. Similar to that, Collibra Data Intelligence Cloud owns the red key pair. Every secret on Edge is encrypted with the red public key, which is sent to the Edge site for each capability execution, encrypted with the blue public key. Once on the Edge site, Edge can be decrypted with the red private key, and secrets needed to execute a connection or a capability are decrypted and injected into the capability container.
Note Inside the k8s cluster, all other secrets, for example data source credentials and datadog credentials, are stored encrypted at rest.