PricingSign inRequest a Demo

Configuration Encryption

Encrypt sensitive values in the Bindplane Collector configuration file

Sensitive values (e.g. passwords, API keys, credential blobs) in the Bindplane Collector on-disc configuration file can be encrypted using the AES credential provider. The collector needs to be configured with the environment variable OTEL_AES_CREDENTIAL_PROVIDER set to a valid AES encryption key in base64 format. An AES 32-byte (AES-256) key can be generated using the following command:

openssl rand -base64 32

Caveats

Once the collector is configured with an encryption key, the key must be provided to the collector on startup. If the key is lost, the collector will be unable to decrypt the configuration file, and the collector will fail to start. In order to safely rotate the key the collector is using, either reinstall the collector, providing the new key at that time, or configure the collector without any sensitive parameters by pausing all destinations in the configuration. The collector can then be restarted with the new key, the destinations restarted, and the configuration with sensitive parameters can be rolled out.

Configuration

In all these examples, replace <your key> with the base64 encoded AES key, for example n0joqT/sBPaOiudEovYiW3oM51SegcuyY6c0TACG/yQ=.

Linux

You can configure the OTEL_AES_CREDENTIAL_PROVIDER environment variable by using a Systemd override.

Run the following command:

sudo systemctl edit observiq-otel-collector

Modify the collectors systemd file's override to look like this:

Bindplane docs - systemd override

Then run the following command to reload the systemd configuration:

sudo systemctl daemon-reload
sudo systemctl restart observiq-otel-collector

Windows

Start powershell as administrator and run the following command:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\observiq-otel-collector" /v Environment /t REG_MULTI_SZ /d "OTEL_AES_CREDENTIAL_PROVIDER=<your key>" /f

Then restart the service:

Restart-Service observiq-otel-collector

Alternatively, the key can be set in the Windows Registry Editor by adding a new environment variable named OTEL_AES_CREDENTIAL_PROVIDER with the value <your key>:

Bindplane docs - Configuration Encryption - image 1

And restart the service using the Services application:

Bindplane docs - Configuration Encryption - image 2

MacOS

Add OTEL_AES_CREDENTIAL_PROVIDER to the EnvironmentVariables dict in the launchd service file /Library/LaunchDaemons/com.observiq.collector.plist (other values are shown for context):

<key>EnvironmentVariables</key>
<dict>
    <key>OTEL_AES_CREDENTIAL_PROVIDER</key>
    <string><your key></string>
    <key>OIQ_OTEL_COLLECTOR_HOME</key>
    <string>/opt/observiq-otel-collector/</string>
    <key>OIQ_OTEL_COLLECTOR_STORAGE</key>
    <string>/opt/observiq-otel-collector/storage</string>
</dict>

Then restart the collector:

sudo launchctl unload /Library/LaunchDaemons/com.observiq.collector.plist
sudo launchctl load /Library/LaunchDaemons/com.observiq.collector.plist

External Links

PreviousRetry and QueueingNextOpAMP

Last updated

Was this helpful?