You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/23 14:03:21 UTC
[GitHub] [couchdb] eiri commented on a change in pull request #2685: [WIP]
Implement per database encryption for primary data
eiri commented on a change in pull request #2685: [WIP] Implement per database encryption for primary data
URL: https://github.com/apache/couchdb/pull/2685#discussion_r396473698
##########
File path: rel/overlay/etc/default.ini
##########
@@ -699,3 +699,21 @@ compaction = false
; log every generated trace by including the following:
;
; all = (#{}) -> true
+
+[encryption]
+enabled = false
+;
+; To generate master key and initialization vector run the following command
+; ("secret" is an example passphrase here, use something else)
+;
+; `openssl enc -aes-256-ctr -k secret -P -md sha1`
+; output:
+; salt=FC0D0243C5126FB5
+; key=9B43A7711CDDE41FE065FC03A14BBD6A177CBD6A4B474A05DEC9798C79B98045
+; iv =5B3C6478BBC698AAA8CA5BA51DB8FF95
+; Put key in "key.dat" file excluding "key" characters and a carriage return
+; Put iv in "iv.dat" file excluding "iv" characters and a carriage return
+;
+; Keep both files as read-only and owned by couch process.
+; key_file = /var/secured/mount/location/key.dat
+; iv_file = /var/secured/mount/location/iv.dat
Review comment:
Config is writable, my idea is that key will be kept in read-only file with an option to have that file on a separate encrypted mount point.
How do you suggest to store IV?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services