You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security.md
+69-2Lines changed: 69 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,77 @@ sidebar_position: 90
4
4
5
5
# Security
6
6
7
+
## Kernel secret
8
+
9
+
To learn more about how and why the kernel secret is used, check out the [Symfony documentation](https://symfony.com/doc/7.2/reference/configuration/framework.html#secret).
10
+
11
+
:::note
12
+
13
+
When using the standalone image, the kernel secret is generated automatically. See the [Image secrets](#image-secrets)
14
+
section to learn more.
15
+
16
+
:::
17
+
18
+
To configure the kernel secret through a custom environment variable, use the following configuration:
19
+
20
+
```yaml
21
+
framework:
22
+
secret: '%env(KERNEL_SECRET)%'
23
+
```
24
+
25
+
## Encryption
26
+
27
+
In some cases, Dirigent needs to store sensitive information in the database, like GitHub access tokens or SSH keys
28
+
that are used for authenticating to private repositories. As a safety precaution, this data is encrypted during
29
+
runtime through an encryption key before being stored securely in the database. The encryption key has to be created
30
+
before running the application.
31
+
32
+
### Generate encryption key pair
33
+
34
+
To generate an encryption key pair, run the following command:
35
+
36
+
```shell
37
+
bin/dirigent encryption:generate-keys
38
+
```
39
+
7
40
:::note
8
41
9
-
This page is a stub.
42
+
When using the standalone image, this is done automatically when starting the container. See the [Image secrets](#image-secrets)
43
+
section to learn more.
10
44
11
45
:::
12
46
13
-
## Secrets
47
+
This generates both a (private) decryption key and a (public) encryption key, both need to exist for Dirigent to
48
+
function. The location of the keys can be changed in the configuration. For example, to use environment variables
49
+
to configure the encryption keys, use the following configuration:
50
+
51
+
```yaml
52
+
dirigent:
53
+
encryption:
54
+
private_key: '%env(DECRYPTION_KEY)%'
55
+
private_key_path: '%env(DECRYPTION_KEY_FILE)%'
56
+
public_key: '%env(ENCRYPTION_KEY)%'
57
+
public_key_path: '%env(ENCRYPTION_KEY_FILE)%'
58
+
```
59
+
60
+
### Rotate encryption keys
61
+
62
+
```yaml
63
+
dirigent:
64
+
encryption:
65
+
rotated_keys:
66
+
- '%env(OLD_DECRYPTION_KEY)%'
67
+
rotated_key_paths:
68
+
- '%env(OLD_DECRYPTION_KEY_FILE)%'
69
+
```
70
+
71
+
## Image secrets
72
+
73
+
When using the standalone image, secrets are stored in the `/srv/config/secrets` directory by default.
74
+
75
+
- `decryption_key`
76
+
Unless configured through `DECRYPTION_KEY` or `DECRYPTION_KEY_FILE` environment variables.
77
+
- `encryption_key`
78
+
Unless configured through `ENCRYPTION_KEY` or `ENCRYPTION_KEY_FILE` environment variables.
79
+
- `kernel_secret`
80
+
Unless configured through `KERNEL_SECRET` or `KERNEL_SECRET_FILE` environment variables.
0 commit comments