How to change the default N|Solid Storage encryption keys
Deprecation Notice: If you are upgrading from N|Solid 2.x, here are the need-to-know steps for migrating to N|Solid 3.x.
* N|Solid Storage has been eliminated, and its functionality is provided by the N|Solid 3.x Console server. Attempting to connect an existing N|Solid Storage instance to a N|Solid 3.x Console will not work unless the storage instance is running in relay mode.
* Many of the settings and environment variables from N|Solid Storage are available in the 3.x N|Solid Console; substitute CONSOLE for STORAGE in the variable name. View the Networking documentation for specific settings.
* Loading a N|Solid 3.x Console server with the same configuration as a N|Solid Storage instance will load some of your existing assets and metrics history, but Heap Snapshots will need to be accessed directly from your storage device. The default location has changed from ~/.nsolid-storage to ~/.nsolid-console.
* The N|Solid 2.x Runtime is compatible with the N|Solid 3.x Console, but not all functionality will be available.
* The environment variables used to configure N|Solid Runtime are the same as with N|Solid 2.x, however you must provide a valid license during any operation, either via a connection to an N|Solid Console, or by providing a License Token directly. Read the Configuration guide for more information.
* The nsolid-cli syntax and behavior have changed from 2.x, be sure to read the Command Line Interface documentation if you use this functionality.
By default, data from the N|Solid agents sent to the N|Solid Storage instance is encrypted. There is a default set of encryption keys which is shipped with N|Solid. In order to prevent non-authorized N|Solid agents, the encryption keys need to be changed in the N|Solid Storage instance, and each N|Solid agent must be updated to use them.
Generating New Keys
To generate new keys, we use the nsolid-cli
command line tool.
nsolid-cli generate-keypair
The output will be similar to:
{"public":"T$/tyDU2saEm7pDMp?W:>J/vO[O5]0uIb2xY((pY","private":"hrkD/?xckyL]kHw]j@GX.OR1!DkI@YTdEac9HvJi"}
Configuring N|Solid Storage
There are two ways to configure the N|Solid Storage instance to use the new keys. The first is to use environment variables to set the new public/private keys. The second is to create a configuration file and launch the the N|Solid Storage instance pointing at the custom configuration.
Using Environment Variables
The two environment variables are:
NSOLID_STORAGE_SOCKETS_PRIVATE_KEY
NSOLID_STORAGE_SOCKETS_PUBLIC_KEY
Depending on the characters in the key, you may need to wrap the keys in a single quote to prevent issues in your shell.
With the environment variables set, you can start the N|Solid Storage instance normally and the new encryption keys will be in effect.
Using Configuration File
The N|Solid Storage configuration file uses the TOML format. A sample config file updating the encryption keys looks like so:
[sockets]
publicKey = "^kvy<i^qI<r{=JADfK4K<#NtqY+zaH:ksm/YGE6I"
privateKey = "2).NRO5d[JbEFJADF@hdvE1(Fv?B6iIAn>NcLLDx"
The N|Solid Storage then needs to be started with a flag to indicate that you want to use a configuration file:
nsolid-storage --config newkeys.toml
More details about the configuration file can be found at https://docs.nodesource.com/nsolid/2.1/docs/networking
Configuring the N|Solid Agent
The last step is to have the N|Solid agent use the new public key for communicating with the N|Solid Storage instance. It uses an environment variable for this.
NSOLID_PUBKEY
The if this value doesn't match the public key set on the N|Solid Storage instance, the N|Solid agent will report error messages similar to:
N|Solid warning: Connection to data remote not attempted!
N|Solid warning: Connection to bulk remote not attempted!