Encryption - epam/hubctl GitHub Wiki

Protecting hub.yaml.elaborate and hub.yaml.state files is critical to maintaining stack security. Written to remote storage such as AWS S3, GCP, or Azure Storage, the files are encrypted with AES-256 in GCM. The data keys currently come from one of the following implementations:

  1. PBKDF2 key derivation function controlled by HUB_CRYPTO_PASSWORD environment variable. Set value to <random-password>.
  2. AWS KMS data key referenced by HUB_CRYPTO_AWS_KMS_KEY_ARN. Set to arn:aws:kms:<region>:<account-no>:alias/<key-alias>.
  3. Azure Key Vault key referenced by HUB_CRYPTO_AZURE_KEYVAULT_KEY_ID. Set to https://<my-kv>.vault.azure.net/keys/<my-key>/<key-version>.
  4. GCP KMS keyring key name referenced by HUB_CRYPTO_GCP_KMS_KEY_NAME. Set to projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>.

In case you're using Mozilla SOPS, then cloud KMS keys are the same as for SOPS_KMS_ARN, SOPS_AZURE_KEYVAULT_URLS, or SOPS_GCP_KMS_IDS.

© 2022 EPAM Systems, Inc. All Rights Reserved

⚠️ **GitHub.com Fallback** ⚠️