Customer Credentials
Note You can manage your data source secrets and credentials by using Vaults.
Credentials storage
All sensitive data is stored on Edge and encrypted by the native k3s mechanism. Additionally, all user entered credentials are encrypted using the native Edge encryption mechanism.
Secret encryption
In the case of Virtual Machine or Bare Metal installations (k3a based), all secrets are encrypted using the native Kubernetes mechanism. The whole state of the cluster, including secrets and ConfigMap, are subject to encryption. The encryption algorithm that is used is AES 128 in CBC mode and PKCS#7 padding, which can be checked by running the following command: sudo /usr/local/bin/k3s secrets-encrypt status
Additionally, if you don't use vaults, k3s and k8s add another level of encryption using AES 256 to any data that is at rest and not currently communicating from one node to another. For more information, go to the Kubernetes documentation Encrypting Confidential Data at Rest.
The entire database is stored in the /var/lib/rancher/k3s/server/db/state.db file which contains the SQLite data.
Credential encryption
Every value that is marked as To be encrypted by Edge management is additionally encrypted by the Edge site specific red public key.
The algorithm for encryption is summarized below:
- User enters sensitive text either via Web UI or REST API.
- The text is placed in a command queue for your Edge site to execute, as it does for other commands such as run job or cancel job. The text is picked up by the Edge site's polling mechanism for execution, which in this case, stores the Edge site credentials as a Kubernetes secret.
- The Edge management module retrieves the red public key for the specific site.
- A new AES 128 symmetric key (encryption key) is generated.
- The encryption key is used to encrypt the sensitive text.
- The encryption key itself is encrypted using the red public key.
- The encrypted encryption key and encrypted text are concatenated and encoded using Base64 encoding to form the Edgesecret.
- The Edge secret is then sent directly to the Edge site, where it is stored as a Kubernetes secret.
In short the algorithms used are:
- RSA 2048 in EBC mode and PKCS#1 padding
- AES 128 in EBC mode and PKCS#7 padding
Credentials transfer
When the Collibra server (Edge management module) has encrypted the credentials, they are sent to the Edge site using the HTTP TLS 1.3 protocol.
Collibra platform credentials
Apart from the credentials that users need to enter in order to connect to the data sources, there are also credentials which are needed to access the Collibra server itself.
These credentials include:
- Collibraserver credentials (username and password, stored in dgc-secret Secret)
- DataDog API key (stored in datadog-secret Secret)
- Rotation is currently not possible. You have to reinstall Edge.
- JFrog credentials (stored in collibra-edge-repo-creds Secret)
- Rotation is currently not possible. You have to reinstall Edge.
For K3S based installations, the JFrog credentials are also stored in file: /etc/rancher/k3s/registries.yaml
Note This file is unencrypted, but it is only accessible by a root user.