Agent Configuration Encryption
Encrypt sensitive values in the BindPlane Agent configuration file
Sensitive values (e.g. passwords, API keys, credential blobs) in the BindPlane Agent on-disc configuration file can be encrypted using the AES credential provider. The agent needs to be configured with the environment variable OTEL_AES_CREDENTIAL_PROVIDER set to a valid AES encryption key in base64 format. An AES 32-byte (AES-256) key can be generated using the following command:
Caveats
Once the agent is configured with an encryption key, the key must be provided to the agent on startup. If the key is lost, the agent will be unable to decrypt the configuration file, and the agent will fail to start. In order to safely rotate the key the agent is using, either reinstall the agent, providing the new key at that time, or configure the agent without any sensitive parameters by pausing all destinations in the configuration. The agent can then be restarted with the new key, the destinations restarted, and the configuration with sensitive parameters can be rolled out.
Configuration
In all these examples, replace <your key> with the base64 encoded AES key, for example n0joqT/sBPaOiudEovYiW3oM51SegcuyY6c0TACG/yQ=.
Linux
You can configure the OTEL_AES_CREDENTIAL_PROVIDER environment variable by using a Systemd override.
Run the following command:
Modify the agents systemd file's override to look like this:
Then run the following command to reload the systemd configuration:
Windows
Start powershell as adminstrator and run the following command:
Then restart the service:
Alternatively, the key can be set in the Windows Registry Editor by adding a new environment variable named OTEL_AES_CREDENTIAL_PROVIDER with the value <your key>:
And restart the service using the Services application:
MacOS
Add OTEL_AES_CREDENTIAL_PROVIDER to the EnvironmentVariables dict in the launchd service file /Library/LaunchDaemons/com.observiq.collector.plist (other values are shown for context):
Then restart the agent: