Configuring the Security Parameters
Step 6: Server config - security parameters
In this step we show how to configure the OPAL server security parameters.
Declaring these parameters and passing them to OPAL server will cause the server to run in secure mode, which means client identity verification will be active. All the values in this section are sensitive, in production you should place them in a secrets store.
When should I run in secure mode?
In a dev environment, secure mode is optional and you can skip this section.
However, in production environments you should run in secure mode.
1) Generating encryption keys
Using a utility like ssh-keygen we can easily generate the keys (on Windows try SSH-keys Windows guide).
ssh-keygen -t rsa -b 4096 -m pem
follow the instructions to save the keys to two files.
2) Place encryption keys in environment variables
Env Var Name | Function |
---|---|
OPAL_AUTH_PRIVATE_KEY |
|
OPAL_AUTH_PUBLIC_KEY |
|
Example values:
If your private key looks like this (we redacted most of the key)
-----BEGIN OPENSSH PRIVATE KEY-----
XXX...
...
...XXX==
-----END OPENSSH PRIVATE KEY-----
Declare it like this (notice how we simply replace new lines with underscores):
export OPAL_AUTH_PRIVATE_KEY=-----BEGIN OPENSSH PRIVATE KEY-----_XXX..._..._...XXX==_-----END OPENSSH PRIVATE KEY-----
For public keys, it should be something like this:
export OPAL_AUTH_PUBLIC_KEY=ssh-rsa XXX ... XXX== some@one.com
3) Configuring the master token
You can choose any secret you'd like, but as we've showed you before, the OPAL CLI can be used to generate cryptographically strong secrets easily.
opal-server generate-secret
You must then configure the master token like so
Env Var Name | Function |
---|---|
OPAL_AUTH_MASTER_TOKEN | the master token generated by the cli (or any other secret you pick) |