# Configuration Encryption Sensitive values (e.g. passwords, API keys, credential blobs) in the Bindplane Collector on-disc configuration file can be encrypted using the AES credential provider. The collector needs to be configured with the environment variable `OTEL_AES_CREDENTIAL_PROVIDER` set to a valid AES encryption key in base64 format. An AES 32-byte (AES-256) key can be generated using the following command: ```bash openssl rand -base64 32 ``` ### Caveats Once the collector is configured with an encryption key, the key must be provided to the collector on startup. If the key is lost, the collector will be unable to decrypt the configuration file, and the collector will fail to start. In order to safely rotate the key the collector is using, either reinstall the collector, providing the new key at that time, or configure the collector without any sensitive parameters by pausing all destinations in the configuration. The collector can then be restarted with the new key, the destinations restarted, and the configuration with sensitive parameters can be rolled out. ### Configuration In all these examples, replace `` with the base64 encoded AES key, for example `n0joqT/sBPaOiudEovYiW3oM51SegcuyY6c0TACG/yQ=`. #### Linux You can configure the `OTEL_AES_CREDENTIAL_PROVIDER` environment variable by using a [Systemd override](https://wiki.archlinux.org/title/systemd). Run the following command: ```bash sudo systemctl edit observiq-otel-collector ``` Modify the collectors systemd file's override to look like this:
Bindplane docs - systemd override
Then run the following command to reload the systemd configuration: ```bash sudo systemctl daemon-reload sudo systemctl restart observiq-otel-collector ``` #### Windows Start powershell as administrator and run the following command: ```powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\observiq-otel-collector" /v Environment /t REG_MULTI_SZ /d "OTEL_AES_CREDENTIAL_PROVIDER=" /f ``` Then restart the service: ```powershell Restart-Service observiq-otel-collector ``` Alternatively, the key can be set in the Windows Registry Editor by adding a new environment variable named `OTEL_AES_CREDENTIAL_PROVIDER` with the value ``:
Bindplane docs - Configuration Encryption - image 1
And restart the service using the Services application:
Bindplane docs - Configuration Encryption - image 2
#### MacOS Add `OTEL_AES_CREDENTIAL_PROVIDER` to the `EnvironmentVariables` dict in the launchd service file `/Library/LaunchDaemons/com.observiq.collector.plist` (other values are shown for context): ```xml EnvironmentVariables OTEL_AES_CREDENTIAL_PROVIDER OIQ_OTEL_COLLECTOR_HOME /opt/observiq-otel-collector/ OIQ_OTEL_COLLECTOR_STORAGE /opt/observiq-otel-collector/storage ``` Then restart the collector: ```bash sudo launchctl unload /Library/LaunchDaemons/com.observiq.collector.plist sudo launchctl load /Library/LaunchDaemons/com.observiq.collector.plist ``` ### External Links * [AES Credential Provider](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/confmap/provider/aesprovider)