This guide explains how to configure automatic property encryption in Hashicorp Vault for an application or adapter.
All sensitive properties should be encrypted. Examples include API tokens, passwords, and secrets. If Hashicorp Vault is configured, all encrypted properties are stored there and decrypted at runtime. They are never stored in the MongoDB document for that service config. If Hashicorp Vault is not configured, no properties can be automatically encrypted.
To set a property to be encrypted automatically when a service config is created or updated, the property must exist in the propertiesSchema.json document as a string type.
To support automatic property encryption, create a propertiesDecorators.json document at the same level as the propertiesSchema.json document. This document must contain an array (defaulting to [] if not explicitly defined).
Each element in the array must be an object containing a type and a pointer. The type must be set to encryption. The pointer must be a valid JSON pointer to a property within the propertiesSchema.json document.
In the UI, any property with an encryption pointer configured will display as ***** unless the user is actively editing that field.
The following propertiesSchema.json will be referenced in the examples below:
Given that credentials.password and api.token are likely sensitive, the propertiesDecorators.json should look like this:
If instead the url property contains credentials within the URL and api.token contains only a token type rather than the actual token, the file might look like this:
The propertiesDecorators.json works the same for applications and adapters. However, the pointer starts from a different location depending on the type:
properties.properties of the service config.properties of the service config.The JSON pointer starts from these respective locations within the service config, consistent with how propertiesSchema.json maps to properties within the service config.