diff --git a/docs/administration/configuration/encryptable-properties.md b/docs/administration/configuration/encryptable-properties.md index caee2db54..cdec1279e 100644 --- a/docs/administration/configuration/encryptable-properties.md +++ b/docs/administration/configuration/encryptable-properties.md @@ -13,19 +13,18 @@ For instance you might want to encrypt the bind password to your LDAP server. Le ### Encrypting Property values -Runbook Automation has a feature to allow you to generate encrypted passwords using the Jasypt encryption library. The following instructions show how to encrypt a password with this utility from the command line. +Runbook Automation includes a built-in utility to generate encrypted property values using AES-256-GCM authenticated encryption. The following instructions show how to encrypt a password with this utility from the command line. cd into the directory where your rundeck.war is located run: ```shell -java -jar rundeck.war --encryptpwd Jasypt - +java -jar rundeck.war --encryptpwd Encryptable-properties ``` You will receive prompts for information that look like the following: -``` +```text Required values are marked with: * Encrypter Config (The base property name used in RD_ENCRYPTION_ or rd.encryption. ('default' is the default value)): @@ -38,11 +37,15 @@ binder123 (this won't be displayed) *Verify Value To Encrypt (Verify the text you want to encrypt): ==ENCRYPTED OUTPUT== -encrypted: bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5 +encrypted: AQD3f8k2...base64-encoded-value... ``` -You will take the `encrypted:` value from the ENCRYPTED OUTPUT section which will have a value that looks like: `bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5` (note that it will not be this value) and use it in your rundeck-config.properties file like this: -`rundeck.security.ldap.bindPassword=ENC(bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5)` +You will take the `encrypted:` value from the ENCRYPTED OUTPUT section and use it in your rundeck-config.properties file like this: +`rundeck.security.ldap.bindPassword=ENC(AQD3f8k2...base64-encoded-value...)` + +:::tip Upgrade Note +Starting with Rundeck 6.0, new encrypted values use AES-256-GCM. Existing `ENC()` values encrypted with previous versions are automatically detected and decrypted without any configuration changes. +::: ### Decrypting rundeck-config.properties @@ -56,40 +59,24 @@ RDECK_JVM_SETTINGS=-Drd.encryption.default.password=1PwdToBindThem$ Then we would start our Runbook Automation installation. After the application has completed the bootstrap process and is responding to requests, the environment variable can be unset for security purposes. -### Advanced Usage - -If you wish to customize the algorithm, provider, or keyObtentions the Jasypt encryptor will use to encrypt the password, you can do this by passing those -values as system properties when you launch the encryption utility. - -For example, if you wish to use the `PBEWITHSHA256AND256BITAES-CBC-BC` algorithm to encrypt your password, you could do it like this: - -```shell -> java -jar -Drd.encryption.STRONG.algorithm=PBEWITHSHA256AND256BITAES-CBC-BC rundeckpro-cluster-3.0.0-SNAPSHOT.war --encryptpwd Jasypt -Required values are marked with: * -Encrypter Config (The base property name used in RD_ENCRYPTION_ or rd.encryption. ('default' is the default value)): -STRONG -*Master Password (Master password used to encrypt the value): -1PwdToBindThem$ (this won't be displayed) -*Verify Master Password (Verify master password): - -*Value To Encrypt (The text you want to encrypt): -binder123 (this won't be displayed) -*Verify Value To Encrypt (Verify the text you want to encrypt): +### Advanced Usage (Legacy Decryption) -==ENCRYPTED OUTPUT== -encrypted: i67e4g3jAUML0KCh+KwmnqX9lCflThMuu6CXm++VSqU= -``` - -Notice we are setting an rd.encryption config with the name STRONG. Then when prompted for the `Encrypter Config` by the tool we type in the value `STRONG`. This sets the encryptor to use the algorithm passed by `rd.encryption.STRONG.algorithm` instead of the default configuration which uses a different algorithm. +If you have existing encrypted values that were generated with a custom algorithm, provider, or keyObtentions in a previous Rundeck version, you can configure those settings so the system can decrypt them correctly. -To use your custom encrypted password when you start Rundeck, it is very important to ensure that the same system properties you used at encrypt time are set at launch time. Otherwise Rundeck will use the default decryptor settings which will not match your customized settings, and startup will fail. +:::warning +These settings only affect **decryption of legacy values**. All new encryptions use AES-256-GCM regardless of these settings. +::: -To start Rundeck with the settings in our example, the startup string would be something like: +For example, if your existing encrypted values were generated with the `PBEWITHSHA256AND256BITAES-CBC-BC` algorithm, set the corresponding system properties when starting Rundeck: ```shell -java -jar -Drd.encryption.STRONG.algorithm=PBEWITHSHA256AND256BITAES-CBC-BC -Drundeck.encrypter.config.name=STRONG rundeckpro-cluster-3.0.0-SNAPSHOT.war +java -Drd.encryption.STRONG.algorithm=PBEWITHSHA256AND256BITAES-CBC-BC \ + -Drundeck.encrypter.config.name=STRONG \ + -jar rundeck.war ``` +The `Encrypter Config` name (`STRONG` in this example) links the algorithm system property to the encrypted values. When the application encounters an `ENC(...)` value, it uses the configured algorithm and provider to decrypt legacy data. + If you would rather use environment variables to set the encryption settings you can use: `RUNDECK_PROP_DECRYPTER_CONFIG` to set the config to use and config settings can be supplied like: @@ -98,3 +85,13 @@ and config settings can be supplied like: For the example above, these would be: `export RUNDECK_PROP_DECRYPTER_CONFIG=STRONG` `export RD_ENCRYPTION_STRONG_ALGORITHM=PBEWITHSHA256AND256BITAES-CBC-BC` + +### Re-encrypting Legacy Values + +To migrate existing legacy-encrypted values to AES-256-GCM, re-run the encryption utility with the same master password: + +```shell +java -jar rundeck.war --encryptpwd Encryptable-properties +``` + +Enter the plaintext value you want to encrypt. The output will be in the new AES-256-GCM format. Replace the old `ENC(...)` value in your configuration file with the new one. Both old and new formats are supported simultaneously, so migration can be done incrementally. diff --git a/docs/administration/configuration/plugins/bundled-plugins.md b/docs/administration/configuration/plugins/bundled-plugins.md index 0cf52289b..b6f530a82 100644 --- a/docs/administration/configuration/plugins/bundled-plugins.md +++ b/docs/administration/configuration/plugins/bundled-plugins.md @@ -98,24 +98,26 @@ Provides a Workflow Step: File: `rundeck-flow-control-plugin-{{$rundeckVersionFull}}.jar` -## Jasypt Encryption Plugin +## AES-GCM Encryption Plugin Provides an encryption [storage converter](/administration/configuration/storage-facility.md#storage-converters) for the Storage facility. Can be used to encrypt the contents of Key Storage, and Project Configuration stored in the DB or on disk. -This plugin provides password based encryption for storage contents. -It uses the [Jasypt][] encryption library. The built in Java JCE is used unless another provider is specified, [Bouncycastle][] can be used by specifying the 'BC' provider name. +This plugin provides password-based authenticated encryption using AES-256-GCM with PBKDF2 key derivation via [Bouncycastle][]. It can also transparently decrypt data encrypted by the previous Jasypt-based plugin, enabling seamless upgrades. -[jasypt]: http://www.jasypt.org/ [bouncycastle]: https://www.bouncycastle.org/ -Password, algorithm, provider, etc can be specified directly, or via environment variables (the `*EnvVarName` properties), or Java System properties (the `*SysPropName` properties). +Password can be specified directly, or via environment variables (the `*EnvVarName` properties), or Java System properties (the `*SysPropName` properties). To enable it, see [Configuring - Storage Converter Plugins](/administration/configuration/plugins/configuring.md#storage-converter-plugins). See also: [Key Storage](/manual/key-storage/index.md) -Provider type: `jasypt-encryption` +Provider type: `aes-gcm-encryption` + +:::tip Backward Compatibility +The legacy provider name `jasypt-encryption` is still supported as an alias. Existing configurations do not need to be changed after upgrade. +::: The following encryption properties marked with `*` can be set directly, using the property name shown, @@ -126,54 +128,65 @@ or `SysPropName` to use the Java System Property. If a System Property is specified: it is read in once and used by the initialization of the converter plugin, then the Java System Property is set to null so it cannot be read again. -Configuration properties: +#### Configuration properties -`encryptorType` +`password*` +: The encryption password. This is the only required property. -: Jasypt Encryptor to use. Either `basic`, `strong`, or `custom`. Default: 'basic'. +Example configuration for **new installations**: - * `basic` uses algorithm `PBEWithMD5AndDES` - * `strong` requires use of the JCE Unlimited Strength policy files. (Algorithm: `PBEWithMD5AndTripleDES`) - * `custom` is required to specify the algorithm. +```properties +rundeck.storage.converter.1.type=aes-gcm-encryption +rundeck.storage.converter.1.path=keys +rundeck.storage.converter.1.config.password=YOUR_ENCRYPTION_PASSWORD +``` -`password*` -: the password. +```properties +rundeck.config.storage.converter.1.type=aes-gcm-encryption +rundeck.config.storage.converter.1.path=projects +rundeck.config.storage.converter.1.config.password=YOUR_ENCRYPTION_PASSWORD +``` + +#### Legacy properties (only needed when upgrading from a previous version) + +The following properties are only needed if you are upgrading from a Rundeck version that used the old `jasypt-encryption` plugin and you have existing encrypted data in your database. They tell the plugin how to **decrypt** that old data. New encryptions always use AES-256-GCM regardless of these settings. + +:::info +If you are upgrading from a standard Rundeck installation (default settings), just add `encryptorType=custom` and use the same password you had before. No other legacy properties are needed. +::: + +`encryptorType` +: Identifies the legacy encryptor format used on existing data. Either `basic` or `custom`. Default: 'custom'. -`algorithm*` -: the encryption algorithm. + * `custom` — decrypts using algorithm `PBEWITHSHA256AND128BITAES-CBC-BC` with BC provider (the Rundeck default since 2014) + * `basic` — decrypts using algorithm `PBEWithMD5AndDES` -`provider*` -: the provider name. 'BC' indicates Bouncycastle. +`algorithm` +: (optional) Only needed if you previously configured a non-default algorithm. Overrides the legacy algorithm for decrypting existing data. -`providerClassName*` -: Java class name of the provider. +`provider` +: (optional) Only needed if you previously used a non-default JCE provider. Default: 'BC' (Bouncycastle). -`keyObtentionIterations*` -: Number of hashes to use for the password when generating the key, default is 1000. +`keyObtentionIterations` +: (optional) Only needed if you previously changed this from the default. Default: 1000. -Example configuration for the Key Storage facility: +Example configuration for an **upgrade** from a standard Rundeck installation: ```properties -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=keys +rundeck.storage.converter.1.config.password=YOUR_EXISTING_PASSWORD rundeck.storage.converter.1.config.encryptorType=custom -rundeck.storage.converter.1.config.passwordEnvVarName=ENC_PASSWORD -rundeck.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC -rundeck.storage.converter.1.config.provider=BC ``` -Example configuration for the Project Configuration storage facility: - ```properties -rundeck.config.storage.converter.1.type=jasypt-encryption -rundeck.config.storage.converter.1.path=/ -rundeck.config.storage.converter.1.config.password=sekrit +rundeck.config.storage.converter.1.type=aes-gcm-encryption +rundeck.config.storage.converter.1.path=projects +rundeck.config.storage.converter.1.config.password=YOUR_EXISTING_PASSWORD rundeck.config.storage.converter.1.config.encryptorType=custom -rundeck.config.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC -rundeck.config.storage.converter.1.config.provider=BC ``` -File: `rundeck-jasypt-encryption-plugin-{{$rundeckVersionFull}}.jar` +File: `rundeck-aes-gcm-encryption-plugin-{{$rundeckVersionFull}}.jar` :::tip Note: the specific PBE algorithms available for use with the `encryptorType=custom` come from installed JCE providers. BouncyCastle is included but others are provided by the specific JDK you use. Here is a sample list of PBE providers using BouncyCastle and OpenJDK 1.8: diff --git a/docs/administration/configuration/storage-facility.md b/docs/administration/configuration/storage-facility.md index f9bd3058d..43fa1f585 100644 --- a/docs/administration/configuration/storage-facility.md +++ b/docs/administration/configuration/storage-facility.md @@ -86,10 +86,9 @@ rundeck.storage.provider.1.path=/keys **Encryption converter:** ```properties # Format: rundeck.storage.converter.[index].[property] -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=CHANGE_THIS_PASSWORD -rundeck.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 ``` ### Common Key Storage Issues @@ -186,7 +185,7 @@ rundeck.config.storage.provider.1.type=db rundeck.config.storage.provider.1.path=/ # Optional: Encryption for project configs -rundeck.config.storage.converter.1.type=jasypt-encryption +rundeck.config.storage.converter.1.type=aes-gcm-encryption rundeck.config.storage.converter.1.path=/ rundeck.config.storage.converter.1.config.password=CHANGE_THIS_PASSWORD ``` @@ -423,9 +422,13 @@ Disk/Database → Storage Backend → [Converter: Decrypt] → User/API - **Transparent:** Application doesn't know encryption is happening - **Metadata stored separately:** Encryption info stored with file metadata -### Encryption with Jasypt Plugin +### Encryption with AES-GCM Plugin -Rundeck includes the **Jasypt Encryption Plugin** for encrypting stored data. This is the most common converter configuration. +Rundeck includes the **AES-GCM Encryption Plugin** for encrypting stored data using AES-256-GCM authenticated encryption. This is the most common converter configuration. + +:::tip Upgrade Note +Prior to Rundeck 6.0, this plugin was called `jasypt-encryption`. The legacy name still works as an alias — existing configurations do not need to be changed. +::: **When to use encryption:** - **Required:** Production environments storing sensitive keys/passwords @@ -439,31 +442,27 @@ Rundeck includes the **Jasypt Encryption Plugin** for encrypting stored data. Th ```properties # Encrypt all keys -rundeck.storage.converter.1.type=jasypt-encryption -rundeck.storage.converter.1.path=/keys +rundeck.storage.converter.1.type=aes-gcm-encryption +rundeck.storage.converter.1.path=keys rundeck.storage.converter.1.config.password=YOUR_ENCRYPTION_PASSWORD_HERE -rundeck.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 ``` **Project Storage encryption (optional):** ```properties # Encrypt project configurations -rundeck.config.storage.converter.1.type=jasypt-encryption -rundeck.config.storage.converter.1.path=/ +rundeck.config.storage.converter.1.type=aes-gcm-encryption +rundeck.config.storage.converter.1.path=projects rundeck.config.storage.converter.1.config.password=YOUR_ENCRYPTION_PASSWORD_HERE -rundeck.config.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 ``` -#### Encryption Algorithm Options +#### Encryption Algorithm -| Algorithm | Security | Performance | JVM Requirement | -|-----------|----------|-------------|-----------------| -| `PBEWITHHMACSHA256ANDAES_256` | High (recommended) | Good | JCE Unlimited Strength (Java 8+) | -| `PBEWITHMD5ANDDES` | Low (legacy) | Fast | Standard JVM | -| `PBEWITHSHA256AND256BITAES-CBC-BC` | High | Good | Bouncy Castle library | +Starting with Rundeck 6.0, the encryption algorithm is **AES-256-GCM** (authenticated encryption with PBKDF2-SHA256 key derivation). This is not configurable — all new data is encrypted with the strongest available standard. There is no need to choose an algorithm. -**Recommendation:** Use `PBEWITHHMACSHA256ANDAES_256` for production. +:::info +The `algorithm`, `provider`, and `encryptorType` properties are only relevant for **decrypting legacy data** from previous Rundeck versions. See the [AES-GCM Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin) documentation for details. +::: #### Managing Encryption Passwords @@ -523,7 +522,7 @@ rundeck.storage.converter.1.config.password=${KMS_RETRIEVED_PASSWORD} 2. **Add converter configuration:** ```properties -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=${RD_STORAGE_PASSWORD} ``` @@ -613,7 +612,7 @@ echo "Re-encryption complete" - **Verification:** Check `rundeck-config.properties` on all nodes **See also:** -- [Jasypt Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#jasypt-encryption-plugin) - Detailed configuration +- [AES-GCM Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin) - Detailed configuration - [Storage Converter Plugin Development](/developer/storage-converter-plugins.md) - Custom converters --- @@ -910,10 +909,9 @@ rundeck.storage.provider.1.path=/keys rundeck.projectsStorageType=db # Encryption - MUST be identical -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=${RD_STORAGE_PASSWORD} -rundeck.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 # Database - same connection dataSource.url=jdbc:postgresql://shared-db-host:5432/rundeck @@ -1124,10 +1122,9 @@ rundeck.projectsStorageType=filesystem rundeck.storage.provider.1.type=db rundeck.storage.provider.1.path=/keys -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=${RD_STORAGE_PASSWORD} -rundeck.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 # Project Storage - database rundeck.projectsStorageType=db @@ -1160,18 +1157,16 @@ rundeck.clusterMode.enabled=true rundeck.storage.provider.1.type=db rundeck.storage.provider.1.path=/keys -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=${RD_STORAGE_PASSWORD} -rundeck.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 # Project Storage - shared database with encryption rundeck.projectsStorageType=db -rundeck.config.storage.converter.1.type=jasypt-encryption +rundeck.config.storage.converter.1.type=aes-gcm-encryption rundeck.config.storage.converter.1.path=/ rundeck.config.storage.converter.1.config.password=${RD_PROJECT_STORAGE_PASSWORD} -rundeck.config.storage.converter.1.config.algorithm=PBEWITHHMACSHA256ANDAES_256 # Shared Database dataSource.url=jdbc:postgresql://shared-db-cluster:5432/rundeck @@ -1201,7 +1196,7 @@ export DB_PASSWORD="database_password" rundeck.storage.provider.1.type=db rundeck.storage.provider.1.path=/keys -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=/keys rundeck.storage.converter.1.config.password=${RD_STORAGE_PASSWORD} @@ -1219,7 +1214,7 @@ dataSource.url=jdbc:mysql://dbhost:3306/rundeck ### Security -1. **Always encrypt in production** - Use jasypt-encryption converter for key storage +1. **Always encrypt in production** - Use aes-gcm-encryption converter for key storage 2. **Separate encryption passwords** - Use different passwords for keys vs projects 3. **Secure password storage** - Store encryption passwords in external vault (not in config files) 4. **Rotate passwords** - Plan for periodic encryption password rotation @@ -1265,7 +1260,7 @@ dataSource.url=jdbc:mysql://dbhost:3306/rundeck - [Key Storage](/manual/key-storage/index.md) - User guide for managing keys - [Project Configuration](/manual/projects/configuration.md) - Project setup and storage - [Database Configuration](/administration/configuration/database/index.md) - External database setup -- [Jasypt Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#jasypt-encryption-plugin) - Encryption details +- [AES-GCM Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin) - Encryption details - [Storage Plugin Development](/developer/storage-plugins.md) - Custom storage backends - [Storage Converter Plugin Development](/developer/storage-converter-plugins.md) - Custom converters - [Cluster Configuration](/administration/cluster/) - High-availability setup diff --git a/docs/developer/storage-converter-plugins.md b/docs/developer/storage-converter-plugins.md index 703028d75..41a32a2b6 100644 --- a/docs/developer/storage-converter-plugins.md +++ b/docs/developer/storage-converter-plugins.md @@ -52,7 +52,7 @@ Storage converters ensure this data is **encrypted at rest**, even if someone ga **Built-in Encryption:** Rundeck includes: -- **JasyptEncryption** - AES encryption with master password +- **AES-GCM Encryption** - AES-256-GCM authenticated encryption with master password - Configured via `framework.properties` Create custom plugins for: diff --git a/docs/learning/getting-started/secrets-overview.md b/docs/learning/getting-started/secrets-overview.md index 626c18f4e..0bca2ad1e 100644 --- a/docs/learning/getting-started/secrets-overview.md +++ b/docs/learning/getting-started/secrets-overview.md @@ -11,18 +11,15 @@ _The interface to upload a key to the Rundeck keystore_ ### [Rundeck Key Storage](/manual/key-storage/index.md#rundeck-key-storage) Rundeck Key Storage is the space that Rundeck Admins can use to store current sensitive private key/password data ("keys") storage that can be utilized across Rundeck. By default, Rundeck stores these keys on the internal [backend database](/administration/configuration/database/#database-overview). These keys can be used to customize the automation environment's plugins, node executors, and other components. -Rundeck also has [Key Storage Encryption](/administration/configuration/plugins/bundled-plugins.md#jasypt-encryption-plugin). This enables the encryption of keys and passwords saved on the Rundeck Key Storage (at the Rundeck backend). The following setting allows this encryption and is predefined in the `rundeck-config.properties` file: +Rundeck also has [Key Storage Encryption](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin). This enables the encryption of keys and passwords saved on the Rundeck Key Storage (at the Rundeck backend). The following setting allows this encryption and is predefined in the `rundeck-config.properties` file: -``` +```properties # Encryption for key storage rundeck.storage.provider.1.type=db rundeck.storage.provider.1.path=keys -rundeck.storage.converter.1.type=jasypt-encryption +rundeck.storage.converter.1.type=aes-gcm-encryption rundeck.storage.converter.1.path=keys -rundeck.storage.converter.1.config.encryptorType=custom rundeck.storage.converter.1.config.password=encryption_password -rundeck.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC -rundeck.storage.converter.1.config.provider=BC ``` ### [Hashicorp Vault Integration](/learning/howto/vault-integration.md#how-to-integrate-hashicorp-vault) diff --git a/docs/learning/howto/migrate-to-mysql.md b/docs/learning/howto/migrate-to-mysql.md index 4fd1b142e..ecec8760a 100644 --- a/docs/learning/howto/migrate-to-mysql.md +++ b/docs/learning/howto/migrate-to-mysql.md @@ -66,7 +66,7 @@ Enable DB storage for Project configurations, and Key Storage. Optionally enable For more info refer to: - [Security - Key Storage](/manual/key-storage/index.md) -- [Configuring Plugins - Bundled Plugins - Jasypt Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#jasypt-encryption-plugin) +- [Configuring Plugins - Bundled Plugins - AES-GCM Encryption Plugin](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin) - [Storage Facility](/administration/configuration/storage-facility.md) ## Start Rundeck diff --git a/docs/manual/key-storage/storage-plugins/azure-vault.md b/docs/manual/key-storage/storage-plugins/azure-vault.md index 5fef3344f..05ada6e3c 100644 --- a/docs/manual/key-storage/storage-plugins/azure-vault.md +++ b/docs/manual/key-storage/storage-plugins/azure-vault.md @@ -107,7 +107,7 @@ Soft deleted secrets can be found in the *Manage deleted secrets* window in the ::: ### Storage Converters and Encryption -When you have external key storage configured for rundeck such as the Azure Key Vault plugin, you may not need the [Storage Converter](/manual/key-storage/index.md#key-data-storage-converter) (encryption) as you already have a security layer from provider-side, but if you are already using a storage converter plugin, such as `jasypt-encryption` configured via the `rundeck.storage.converter.1.type=jasypt-encryption` setting, you can still use the Azure Vault Key Storage Plugin. Keys created or updated will be encrypted with their values `base64` encoded and the necessary metadata required for decryption stored as object tags. +When you have external key storage configured for rundeck such as the Azure Key Vault plugin, you may not need the [Storage Converter](/manual/key-storage/index.md#key-data-storage-converter) (encryption) as you already have a security layer from provider-side, but if you are already using a storage converter plugin, such as `aes-gcm-encryption` configured via the `rundeck.storage.converter.1.type=aes-gcm-encryption` setting, you can still use the Azure Vault Key Storage Plugin. Keys created or updated will be encrypted with their values `base64` encoded and the necessary metadata required for decryption stored as object tags. :::warning Using an encryption storage converter If your rundeck instance has an storage converter enabled and some of the secrets present in the configured Key Vault are used in places other than rundeck, you should try to avoid updating them through rundeck key storage as encrypted keys will only be usable in Rundeck instances that know the encryption password used to encrypt the actual value. diff --git a/docs/manual/plugins/full-list.md b/docs/manual/plugins/full-list.md index fe50b3af2..69241b3ab 100644 --- a/docs/manual/plugins/full-list.md +++ b/docs/manual/plugins/full-list.md @@ -75,7 +75,7 @@ Resource Format | [JSON](/manual/document-format-reference/resource-json-v10.md) SCM | [Git](/manual/projects/scm/git.md) | Imports or exports jobs from a Git repository | Community SCM | [Job Replication](/manual/projects/scm/job-replication.md) | Replicates job state between Rundeck Cluster instances | Enterprise SSO | [Okta](/administration/security/sso/index.md) | Allows you to use Okta to log into Rundeck | Enterprise -Storage Converter | [Encyption](/administration/configuration/plugins/bundled-plugins.md#jasypt-encryption-plugin) | Encrypts Key Storage and Project configuration data | Built-in +Storage Converter | [Encryption](/administration/configuration/plugins/bundled-plugins.md#aes-gcm-encryption-plugin) | Encrypts Key Storage and Project configuration data (AES-256-GCM) | Built-in Webhook | [Run Job](/manual/webhooks/run-job.md) | Runs a job when a webhook event is received | Built In Webhook | [Routing Run Job](/manual/webhooks/advanced-run-job.md) | Advanced rule processing of webhook event data to run jobs. | Enterprise