You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security.md
+67-1Lines changed: 67 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,4 +10,70 @@ This page is a stub.
10
10
11
11
:::
12
12
13
-
## Secrets
13
+
## Kernel secret
14
+
15
+
To learn more about how and why the kernel secret is used, check out the [Symfony documentation](https://symfony.com/doc/7.2/reference/configuration/framework.html#secret).
16
+
17
+
:::note
18
+
19
+
When using the standalone image, the kernel secret is generated automatically. See the [Image secrets](#image-secrets)
20
+
section to learn more.
21
+
22
+
:::
23
+
24
+
To configure the kernel secret through a custom environment variable, use the following configuration:
25
+
26
+
```yaml
27
+
framework:
28
+
secret: '%env(KERNEL_SECRET)%'
29
+
```
30
+
31
+
## Encryption
32
+
33
+
In some cases, Dirigent needs to store sensitive information in the database, like GitHub access tokens or SSH keys
34
+
that are used for authenticating to private repositories. As a safety precaution, this data is encrypted during
35
+
runtime through an encryption key before being stored securely in the database. The encryption key has to be created
36
+
before running the application.
37
+
38
+
### Generate encryption key pair
39
+
40
+
To generate an encryption key pair, run the following command:
41
+
42
+
```shell
43
+
bin/dirigent encryption:generate-keys
44
+
```
45
+
46
+
:::note
47
+
48
+
When using the standalone image, this is done automatically when starting the container. See the [Image secrets](#image-secrets)
49
+
section to learn more.
50
+
51
+
:::
52
+
53
+
This generates both a (private) decryption key and a (public) encryption key, both need to exist for Dirigent to
54
+
function. The location of the keys can be changed in the configuration. For example, to use environment variables
55
+
to configure the encryption keys, use the following configuration:
56
+
57
+
```yaml
58
+
dirigent:
59
+
encryption:
60
+
private_key: '%env(DECRYPTION_KEY)%'
61
+
private_key_path: '%env(DECRYPTION_KEY_FILE)%'
62
+
public_key: '%env(ENCRYPTION_KEY)%'
63
+
public_key_path: '%env(ENCRYPTION_KEY_FILE)%'
64
+
```
65
+
66
+
### Rotate encryption keys
67
+
68
+
```yaml
69
+
dirigent:
70
+
encryption:
71
+
rotated_keys:
72
+
- '%env(OLD_DECRYPTION_KEY)%'
73
+
rotated_key_paths:
74
+
- '%env(OLD_DECRYPTION_KEY_FILE)%'
75
+
```
76
+
77
+
## Image secrets
78
+
79
+
When using the standalone image, secrets are stored in the `/srv/config/secrets` directory by default.
0 commit comments