CONFIGURE ENCRYPTION
To ensure the security of users’ sensitive configuration data, Nacos provides a new feature of configuration encryption. The risk of user usage is reduced, and the configuration is no longer required to be encrypted separately.
Preconditions
Version:
The old version is temporarily incompatible. Currently, it is only based on the 2.x version. The recommended version is > 2.0.4.
Embedded database startup:
The database table config_info, config_info_beta, his_config_info needs to add a new field encrypted_data_key
to store the key used for encryption of each configuration item. This field has been added to the sql of the new version of the default table creation.
If you have used the single-machine mode of the embedded database before, you need to delete the nacos/data folder, and the table will be recreated after restarting.
MySQL start:
The database table config_info, config_info_beta, his_config_info needs to add a new field encrypted_data_key
to store the key used for encryption of each configuration item. This field has been added to the sql of the new version of the default table creation.
For the currently built Nacos, use the following sql to add fields to the corresponding table:
ALTER TABLE table_name ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥'
Plug-in implementation
The operations of encryption and decryption are abstracted through the SPI mechanism, and Nacos provides the implementation of AES
by default. Users can also customize the implementation of encryption and decryption. The specific implementation is in the nacos-plugin repository.
When the Nacos server starts, all dependent encryption and decryption algorithms will be loaded, and then by publishing the prefix of the configured dataId
to match whether encryption and decryption are required and the encryption and decryption algorithms used.
The configuration published by the client will be encrypted and decrypted by the filter on the client side, that is, the configuration is in cipher text during the transmission process. The configuration published by the console will be processed on the server side.
How to use
The Nacos encryption and decryption plug-in is pluggable, and it does not affect the operation of the core functions of Nacos. If you want to use the configuration encryption and decryption functions of Naocs, you need to refer to the implementation of the encryption algorithm separately. Both the client and the server use the AES encryption and decryption algorithm by adding the following dependencies. The server is recommended to add it to the config module.
${nacos-aes-encryption-plugin.version} Get the latest version of the plugin。
The plugin doesn’t upload to Maven Central Repository, you need to compile it by yourslfe
How to compile
You need to compile nacos
and install to your local repository,before all the things.
git clone git@github.com:alibaba/nacos.git
cd nacos && mvn -B clean package install -Dmaven.test.skip=true
if during this time occur an error that maven can’t resolve
${revision}
, you may need to update maven version to latest.
git clone git@github.com:nacos-group/nacos-plugin.git
mvn install
Done, enjoy it!
Suggestion: upload to your company repository if you can
Create encryption configuration
-
Open the Nacos console and click New Configuration.
-
The configuration prefix uses cipher-[encryption algorithm name]-dataId to identify that the configuration needs to be encrypted, and the system will automatically identify and encrypt it. For example use the AES algorithm to decrypt the configuration: cipher-aes-application-dev.yml.
-
Click Save to view the database