Encryption Backends
Vaulty encrypts and decrypts the data using encryption backends. Encryption backend is specified in VAULTY_ENCRYPTION_TYPE environment variable. Currently following backends are supported:
- none (used by default)
- aesgcm - AES GCM encryption with user provided encryption key
- awskms - AES GCM encryption with encryption key provided and managed by AWS KMS
None
Built-in backend that performs Base64 encoding and decoding.
It requires no setup and configuration that's why it works best for the demo and the development purposes. This backend should NEVER be used in the production. If you want, you can specify none encryption backend like this:
AES GCM
Build-in backend that uses AES encryption with GCM mode with 256-bit encryption key.
To use AES GCM encryption set following environment variables:
Encryption key must contain 32 chars. Generate encryption key:
outputs something like this:
AWS KMS
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys.
Configuration
To let Vaulty use AWS KMS for encryption, you must specify your AWS credentials, region, and master key ID.
Region and master key are set via environment variables:
Specifying AWS Credentials
AWS KMS encryption backend requires credentials (an access key and secret access key) to sign requests to AWS. You can specify your credentials in several different locations, depending on your particular use case. Here you can find information about obtaining credentials.
Vaulty will look for credentials in the following order:
- Environment variables.
- Shared credentials file.
- If Vaulty is running on an Amazon EC2 instance, IAM role for Amazon EC2.
- If Vaulty uses an ECS task definition or RunTask API operation, IAM role for tasks.
If you have any issues with specifying the credentials, you can check the AWS SDK for Go documentation for more details.