X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/02f2c38ee8f2a5d2e33a7bd2ff033303e6861aaf..9dc967877cb3599ce3584aca57e8c3672f94bd0a:/doc/_includes/_ssl_config_multi.liquid diff --git a/doc/_includes/_ssl_config_multi.liquid b/doc/_includes/_ssl_config_multi.liquid index b4d6eff616..19513bd16a 100644 --- a/doc/_includes/_ssl_config_multi.liquid +++ b/doc/_includes/_ssl_config_multi.liquid @@ -38,3 +38,36 @@ To supply your own certificates, change the configuration like this: {% include 'multi_host_install_custom_certificates' %} All certificate files will be used by nginx. You may need to include intermediate certificates in your certificate files. See "the nginx documentation":http://nginx.org/en/docs/http/configuring_https_servers.html#chains for more details. + +h4(#secure-tls-keys). Securing your TLS certificate keys (AWS specific) (optional) + +When using @SSL_MODE=bring-your-own@, you can keep your TLS certificate keys encrypted on the server nodes. This reduces the risk of certificate leaks from node disk volumes snapshots or backups. + +This feature is currently implemented in AWS by providing the certificate keys’ password via Amazon’s "Secrets Manager":https://aws.amazon.com/es/secrets-manager/ service, and installing appropriate services on the nodes that provide this password to nginx via a file that only lives in system RAM. + +If you use the installer's Terraform code, the secret and related permission cloud resources are created automatically, and you can customize the secret's name by editing @terraform/services/terraform.tfvars@ and setting its suffix in @ssl_password_secret_name_suffix@. + +In @local.params@ you need to set @SSL_KEY_ENCRYPTED@ to @yes@ and change the default values for @SSL_KEY_AWS_SECRET_NAME@ and @SSL_KEY_AWS_REGION@ if necessary. + +Then, if your certificate key file is not yet encrypted, you can generated an encrypted version of it by running the @openssl@ command as follows: + + +
openssl rsa -aes256 -in your.key -out your.encrypted.key
+
+ +(this will ask you to type the encryption password) + +This encrypted key file will be the one needed to be copied to the @${CUSTOM_CERTS_DIR}@ directory, instead of the plain key file. + +In order to allow the appropriate nodes decrypt the key file, you should set the password on Amazon Secrets Manager. There're a couple way this can be done: + +# Through AWS web interface may be the easiest, just make sure to set it as "plain text" instead of JSON. +# By using the AWS CLI tools, for example: + +
aws secretsmanager put-secret-value --secret-id pkey-pwd --secret-string "p455w0rd" --region us-east-1
+
+Where @pkey-pwd@ should match with what's set in @SSL_KEY_AWS_SECRET_NAME@ and @us-east-1@ with what's set in @SSL_KEY_AWS_REGION@. + +Take into account that the AWS secret should be set before running @installer.sh deploy@ to avoid any failures when trying to start the @nginx@ servers. + +If you ever need to change the encryption password on a running cluster, you should first change the secret's value on AWS, and only then copy the newly encrypted key file to @${CUSTOM_CERTS_DIR}@ and re-run the deploy command. \ No newline at end of file