Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Agent Configuration Encryption

Encrypt sensitive values in the BindPlane Agent configuration file

Sensitive values (e.g. passwords, API keys, credential blobs) in the BindPlane Agent on-disc configuration file can be encrypted using the AES credential provider. The agent needs to be configured with the environment variable OTEL_AES_CREDENTIAL_PROVIDER set to a valid AES encryption key in base64 format. An AES 32-byte (AES-256) key can be generated using the following command:

bash
1openssl rand -base64 32

Caveats

Once the agent is configured with an encryption key, the key must be provided to the agent on startup. If the key is lost, the agent will be unable to decrypt the configuration file, and the agent will fail to start. In order to safely rotate the key the agent is using, either reinstall the agent, providing the new key at that time, or configure the agent without any sensitive parameters by pausing all destinations in the configuration. The agent can then be restarted with the new key, the destinations restarted, and the configuration with sensitive parameters can be rolled out.

Configuration

In all these examples, replace <your key> with the base64 encoded AES key, for example n0joqT/sBPaOiudEovYiW3oM51SegcuyY6c0TACG/yQ=.

Linux

You can configure the OTEL_AES_CREDENTIAL_PROVIDER environment variable by using a Systemd override.

Run the following command:

bash
1sudo systemctl edit observiq-otel-collector

Modify the agents systemd file's override to look like this:

observIQ docs - systemd override

Then run the following command to reload the systemd configuration:

bash
1sudo systemctl daemon-reload
2sudo systemctl restart observiq-otel-collector

Windows

Start powershell as adminstrator and run the following command:

powershell
1reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\observiq-otel-collector" /v Environment /t REG_MULTI_SZ /d "OTEL_AES_CREDENTIAL_PROVIDER=<your key>" /f

Then restart the service:

powershell
1Restart-Service observiq-otel-collector

Alternatively, the key can be set in the Windows Registry Editor by adding a new environment variable named OTEL_AES_CREDENTIAL_PROVIDER with the value <your key>:

observIQ docs - Windows Registry Editor

And restart the service using the Services application:

observIQ docs - Windows Service

MacOS

Add OTEL_AES_CREDENTIAL_PROVIDER to the EnvironmentVariables dict in the launchd service file /Library/LaunchDaemons/com.observiq.collector.plist (other values are shown for context):

xml
1<key>EnvironmentVariables</key>
2<dict>
3    <key>OTEL_AES_CREDENTIAL_PROVIDER</key>
4    <string><your key></string>    
5    <key>OIQ_OTEL_COLLECTOR_HOME</key>
6    <string>/opt/observiq-otel-collector/</string>
7    <key>OIQ_OTEL_COLLECTOR_STORAGE</key>
8    <string>/opt/observiq-otel-collector/storage</string>
9</dict>

Then restart the agent:

bash
1sudo launchctl unload /Library/LaunchDaemons/com.observiq.collector.plist
2sudo launchctl load /Library/LaunchDaemons/com.observiq.collector.plist