Configuration Encryption#
Package Manager supports the encryption of sensitive configuration options. For example, the Postgres.Password
, Proxy.Password
, and Manifest.Password
settings all support plain text or encrypted values.
Generate an Encryption Key#
Although Package Manager automatically generates an encryption key if one does not exist, there are situations where you might need to create a key manually before starting the application. To generate an encryption key, run the following command in your terminal
$ rspm encrypt generate
0616a5a7445f4c0b8b9f31a840f22a152f7621c5c9cc1febcb9f647183193c8e9f60...
This can be stored in the PACKAGEMANAGER_ENCRYPTION_KEY
environment variable or written to the persistent storage location (either file
or s3
).
If [Storage].Persistent
is set to s3
, the key needs to be manually uploaded to the correct location in the S3 bucket. This process looks like the following:
# generate the encryption key locally
rspm encrypt generate > rstudio-pm.key
# push it to S3 in the `/persistent/encryption` directory.
aws s3 cp rstudio-pm.key s3://<s3_bucket_name>/persistent/encryption/rstudio-pm.key
Now when Package Manager starts, it will read the encryption key from the S3 bucket.
Encrypt a setting#
To encrypt a sensitive configuration setting, use the rspm encrypt
command. For example:
$ rspm encrypt
<< Encryption: Enter the plain text value below.
<< Qu0lI/gridhu85sqChwFtP2wFkqCcWt9owBpxFjAhKFaU2ZraBB2LM62Ieo=
Note
Only settings that have the type of encrypted-string
support encryption.
Note
If [Storage].Persistent
is set to s3
, the key file must be present in the S3 bucket at the location /persistent/encryption/rstudio-pm.key
and your AWS credentials must be configured correctly to access the key.
Key file#
The rspm encrypt
command creates a key file called rstudio-pm.key
. This should be placed on [Storage].Persistent
location at /persistent/encryption/rstudio-pm.key
. This key must not be deleted for the Package Manager server to properly read the configuration file.
Note that the PACKAGEMANAGER_ENCRYPTION_KEY
environment variable can be used to specify the encryption key to rspm encrypt
in place of the key file, which may be preferable to managing the file directly in some cases.