Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleSettings

Setting

Default Value

Type

vault.enabled

false

boolean

vault.protocol

http

string

vault.address

localhost

string

vault.port

8200

integer

vault.token

ENV VAULT_TOKEN_ID

string

vault.connected

false

boolean

vault.renewer_time

5

integer

vault.renewer

true

boolean

vault.push_cluster_secret

true

boolean

vault.read_cluster_secret

true

boolean

cs_encrypt_ready

false

boolean

dynamic_keys

true

boolean

cluster_secret

nil

string

How It Works

  1. Legion::Crypt includes the Cipher module

  2. Legion::Crypt includes the vault module if crypt.vault.enabled is true

  3. The first time Legion::Crypt.encrypt/decrypt is called, it will check to see if it has the cluster secret or figure it out in this order

    1. It first checks to see if it is in Vault. This makes it safe for all nodes to go offline

    2. It will check if any other nodes are online. If there aren’t it will generate a new CS

    3. If there are consumers, it will send a message out with it’s public key asking for the cluster secret

    4. It will then verify the message by looking to unencrypt the test string against the validation_string

Settings

Expand
titleSettings

Setting

Default Value

Type

vault.enabled

false

boolean

vault.protocol

http

string

vault.address

localhost

string

vault.port

8200

integer

vault.token

ENV VAULT_TOKEN_ID

string

vault.connected

false

boolean

vault.renewer_time

5

integer

vault.renewer

true

boolean

vault.push_cluster_secret

true

boolean

vault.read_cluster_secret

true

boolean

cs_encrypt_ready

false

boolean

dynamic_keys

true

boolean

cluster_secret

nil

string