Storing connection credentials
Note You can manage your data source secrets and credentials by using Vaults.
Connections and capabilities credentials are stored solely on the Edge site. While at rest, credentials use envelope encryption where the credentials are encrypted by a key, which on its turn is encrypted by another key.
The Edge native encryption mechanism is based on two RSA key pairs. They are stored in the following places:
Keys | DIC server | Edge server | Purpose | When is it generated? | Where is it stored? |
---|---|---|---|---|---|
Red public key | Yes | No | Used to encrypt connection credentials. | After the Edge site is successfully installed. | In the Collibra Cloud. |
Red private key | Yes (encrypted using public blue key) | No | Used to decrypt connection credentials. | After the Edge site is successfully installed. | Encrypted by the Blue public key in the Collibra Cloud |
Blue public key | Yes | Yes | Used to encrypt red private keys. | During the installation or re-installation of the Edge site is | Encrypted on the Edge site. |
Blue private key | No | Yes | Used to decrypt red private key. | During the installation or re-installation of the Edge site is | Encrypted on the Edge site. |
The blue key pair is stored as a Kubernetes credential on the Edge server so it undergoes a native K3S encryption as described here.
An Edge site owns the blue key pair, with the blue private key stored on Edge. Similar to that, Collibra Data Intelligence Platform owns the red key pair. Every credential on Edge is encrypted with the red public key, which is sent to the Edge site for each capability execution, encrypted with the blue public key. Once on the Edge site, Edge be decrypted with the red private key, and credentials that are needed to execute a connection or a capability are decrypted and injected into the capability container.
Note Inside the k8s cluster, all other credentials, for example data source credentials and datadog credentials, are stored encrypted at rest.