[Docs] Document Encrypted Saved Objects functionality. #80183
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
Team:Security
azasypkin
force-pushed
the
issue-xxx-doc-eso
branch
from
07b6e01 to
569b864
Compare
azasypkin
commented
Oct 13, 2020
| @@ -0,0 +1,90 @@ | |||
| [role="xpack"] | |||
| [[xpack-security-secure-saved-objects]] | |||
| === Secure Saved Objects | |||
There was a problem hiding this comment.
note: didn't want to be too specific and say Encrypt, used more generic Secure word....
azasypkin
commented
Oct 13, 2020
| [[xpack-security-secure-saved-objects]] | ||
| === Secure Saved Objects | ||
|
|
||
| In {kib} you usually deal with dashboards, visualizations, alerts, actions, advanced settings, spaces etc. These are so called *Saved Objects* that {kib} stores in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. Moreover, {kib} records any access attempt to such sensitive information in the audit logs. |
There was a problem hiding this comment.
note: That's the shortest introduction to Saved Objects I could come up with, happy to get better ideas! 🙈
There was a problem hiding this comment.
I like this! I think we can do without the audit log reference. We don't document this today, and what we end up logging in the new audit logger will probably differ from what currently exists.
Suggested change
| In {kib} you usually deal with dashboards, visualizations, alerts, actions, advanced settings, spaces etc. These are so called *Saved Objects* that {kib} stores in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. Moreover, {kib} records any access attempt to such sensitive information in the audit logs. | |
| {kib} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as *Saved Objects*, which are kept in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. |
azasypkin
commented
Oct 13, 2020
|
|
||
| <1> {kib} will rotate encryption key only for the Saved Objects with the `alert` type in batches of 5000 objects. | ||
|
|
||
| For the time being if you specify decryption-only keys {kib} may try to use them all if it cannot decrypt the Saved Object using the primary encryption key. In most of the cases this overhead is negligible, but if you're constantly dealing with the thousands of the Saved Objects that are encrypted and experiencing performance issues you may want to try to rotate encryption key for those objects. |
There was a problem hiding this comment.
note: I'm torn on this one, maybe it's more confusing than useful?
There was a problem hiding this comment.
I feel like this would be better suited at the top of the API doc (once extracted, see other comment). This does a nice job of explaining why you might want to use this API, so I think it's worthwhile to keep in.
|
Pinging @elastic/kibana-security (Team:Security) |
legrego
reviewed
Oct 13, 2020
| [[security-encrypted-saved-objects-settings]] | ||
| ==== Encrypted Saved Objects settings | ||
|
|
||
| You can configure the following settings in the `kibana.yml` file. For more details see <<xpack-security-secure-saved-objects>>. |
There was a problem hiding this comment.
Suggested change
| You can configure the following settings in the `kibana.yml` file. For more details see <<xpack-security-secure-saved-objects>>. | |
| These settings control the encryption of saved objects with sensitive data. For more details see <<xpack-security-secure-saved-objects>>. |
| |=== | ||
| | [[xpack-encryptedSavedObjects-encryptionKey]] `xpack.encryptedSavedObjects.` | ||
| `encryptionKey` | ||
| | An arbitrary string of 32 characters or more that is used to encrypt sensitive properties of the Saved Objects before they're stored in {es}. If not set, {kib} will generate a random key on startup, but certain {kib} functionality won't be available until you set the encryption key explicitly. |
There was a problem hiding this comment.
Suggested change
| | An arbitrary string of 32 characters or more that is used to encrypt sensitive properties of the Saved Objects before they're stored in {es}. If not set, {kib} will generate a random key on startup, but certain {kib} functionality won't be available until you set the encryption key explicitly. | |
| | An arbitrary string of at least 32 characters that is used to encrypt sensitive properties of Saved Objects before they're stored in {es}. If not set, {kib} will generate a random key on startup, but certain features won't be available until you set the encryption key explicitly. |
|
|
||
| | `xpack.encryptedSavedObjects.` | ||
| `keyRotation.decryptionOnlyKeys` | ||
| | An optional list of arbitrary strings of 32 characters or more that were used as <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>> previously. As the name implies {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing Saved Objects. |
There was a problem hiding this comment.
Suggested change
| | An optional list of arbitrary strings of 32 characters or more that were used as <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>> previously. As the name implies {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing Saved Objects. | |
| | An optional list of previously used encryption keys. Like <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>>, these must be at least 32 characters in length. As the name implies {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing Saved Objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key. |
| [[xpack-security-secure-saved-objects]] | ||
| === Secure Saved Objects | ||
|
|
||
| In {kib} you usually deal with dashboards, visualizations, alerts, actions, advanced settings, spaces etc. These are so called *Saved Objects* that {kib} stores in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. Moreover, {kib} records any access attempt to such sensitive information in the audit logs. |
There was a problem hiding this comment.
I like this! I think we can do without the audit log reference. We don't document this today, and what we end up logging in the new audit logger will probably differ from what currently exists.
Suggested change
| In {kib} you usually deal with dashboards, visualizations, alerts, actions, advanced settings, spaces etc. These are so called *Saved Objects* that {kib} stores in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. Moreover, {kib} records any access attempt to such sensitive information in the audit logs. | |
| {kib} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as *Saved Objects*, which are kept in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. |
|
|
||
| In {kib} you usually deal with dashboards, visualizations, alerts, actions, advanced settings, spaces etc. These are so called *Saved Objects* that {kib} stores in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. Moreover, {kib} records any access attempt to such sensitive information in the audit logs. | ||
|
|
||
| Having sensitive information encrypted means that even if a malicious party can somehow get access to the {kib} internal indices, for example through improperly secured backup, they won't be able to extract that information without knowing an encryption key usually stored separately in a keystore or a configuration file. That's why it's critical to use a cryptographically strong encryption key and keep it safe. |
There was a problem hiding this comment.
Suggested change
| Having sensitive information encrypted means that even if a malicious party can somehow get access to the {kib} internal indices, for example through improperly secured backup, they won't be able to extract that information without knowing an encryption key usually stored separately in a keystore or a configuration file. That's why it's critical to use a cryptographically strong encryption key and keep it safe. | |
| Encrypting sensitive information means that a malicious party with access to the {kib} internal indices won't be able to extract that information without also knowing the encryption key. That's why it's critical to use a cryptographically strong encryption key and keep it safe. |
Here we suggest a cryptographically strong encryption key, but the settings page says that the key can be an arbitrary string of 32 characters or more. I know we're working on a tool for this, but maybe we can have consistent language between the two? Is there any guidance we should add on how to generate a strong key?
There was a problem hiding this comment.
Yeah, I think I'll just remove that sentence. We should either include that everywhere (including reporting and session keys) or don't mention at all. But I don't want to waste our time on that since I hope we will eventually migrate to a single admin-configurable master key and that one will have a proper doc section.
|
|
||
| [IMPORTANT] | ||
| ============================================================================ | ||
| If you don't specify encryption key {kib} will generate a random one automatically at startup time. That means every time you restart {kib} it will use a new ephemeral encryption key and won't be able to decrypt Saved Objects encrypted with another key. To prevent this {kib} plugins may not allow you to perform certain actions until you explicitly set an encryption key. |
There was a problem hiding this comment.
Suggested change
| If you don't specify encryption key {kib} will generate a random one automatically at startup time. That means every time you restart {kib} it will use a new ephemeral encryption key and won't be able to decrypt Saved Objects encrypted with another key. To prevent this {kib} plugins may not allow you to perform certain actions until you explicitly set an encryption key. | |
| If you don't specify encryption key {kib} will generate a random one automatically at startup time. That means every time you restart {kib} it will use a new ephemeral encryption key and won't be able to decrypt Saved Objects encrypted with another key. To prevent data loss, {kib} may disable features which rely on this encryption until you explicitly set an encryption key. |
|
|
||
| Many policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and hence limit the potential damage in case the key is compromised. {kib} allows you to rotate encryption keys whenever there is a need. | ||
|
|
||
| As a rule of thumb, when you change an encryption key you still keep the old one for some time. While {kib} will only use a new encryption key to encrypt all new and updated data it still may need to know the old one to decrypt data that was encrypted using that old key. Moreover, it's perfectly possible to have multiple old keys used only for decryption. It's worth noting that {kib} doesn't re-encrypt existing Saved Objects with the new encryption key automatically, re-encryption only happens when you update existing object or use bulk key rotation API explained later on. |
There was a problem hiding this comment.
or use bulk key rotation API explained later on.
Can we add an anchor to the API explanation here instead of saying it's explained later on?
| decryptionOnlyKeys: ["min-32-byte-long-OLD#1-encryption-key", "min-32-byte-long-OLD#2-encryption-key"] <2> | ||
| -------------------------------------------------------------------------------- | ||
|
|
||
| <1> Encryption key {kib} will use to encrypt all new or updated Saved Objects, known as a primary encryption key. |
There was a problem hiding this comment.
Suggested change
| <1> Encryption key {kib} will use to encrypt all new or updated Saved Objects, known as a primary encryption key. | |
| <1> Encryption key {kib} will use to encrypt all new or updated Saved Objects, known as the primary encryption key. |
| ============================================================================ | ||
|
|
||
| At some point you may want to dispose old encryption keys completely, but before that you should make sure there are no Saved Objects left that {kib} encrypted with the encryption key you're going to dispose. You can use bulk key rotation API for that purpose. It will figure out which existing Saved Objects still require decryption-only keys and re-encrypt them with the primary key. It may take a while if you have lots of such Saved Objects: | ||
|
|
There was a problem hiding this comment.
What do you think about extracting this out to the Saved Objects API docs, and then link to it from here?
I think we should also update this to match the format of the other REST API docs (example)
There was a problem hiding this comment.
Yeah, that's a great idea! Will do.
|
|
||
| <1> {kib} will rotate encryption key only for the Saved Objects with the `alert` type in batches of 5000 objects. | ||
|
|
||
| For the time being if you specify decryption-only keys {kib} may try to use them all if it cannot decrypt the Saved Object using the primary encryption key. In most of the cases this overhead is negligible, but if you're constantly dealing with the thousands of the Saved Objects that are encrypted and experiencing performance issues you may want to try to rotate encryption key for those objects. |
There was a problem hiding this comment.
I feel like this would be better suited at the top of the API doc (once extracted, see other comment). This does a nice job of explaining why you might want to use this API, so I think it's worthwhile to keep in.
|
Pinging @elastic/kibana-docs (Team:Docs) |
|
Thanks for review @legrego, should be ready for another pass! |
legrego
reviewed
Oct 14, 2020
docs/api/saved-objects.asciidoc
Outdated
| @@ -28,6 +28,8 @@ The following saved objects APIs are available: | |||
|
|
|||
| * <<saved-objects-api-resolve-import-errors, Resolve import errors API>> to resolve errors from the import API | |||
|
|
|||
| * <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> to rotate encryption key for the saved objects with encrypted attributes | |||
There was a problem hiding this comment.
Your text is technically more accurate, but I think this is a little easier to read
Suggested change
| * <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> to rotate encryption key for the saved objects with encrypted attributes | |
| * <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> to rotate encryption key for encrypted saved objects |
There was a problem hiding this comment.
How about:
to rotate the encryption key...
or to rotate encryption keys...
| <titleabbrev>Rotate encryption key</titleabbrev> | ||
| ++++ | ||
|
|
||
| experimental[] Rotate encryption key for the saved objects with encrypted attributes. |
There was a problem hiding this comment.
Suggested change
| experimental[] Rotate encryption key for the saved objects with encrypted attributes. | |
| experimental[] Rotate encryption key for encrypted saved objects. |
|
|
||
| experimental[] Rotate encryption key for the saved objects with encrypted attributes. | ||
|
|
||
| For the time being if you specify <<xpack-encryptedSavedObjects-keyRotation-decryptionOnlyKeys, decryption-only keys>> {kib} may try to use them all if it cannot decrypt the saved object using the primary encryption key. In most of the cases this overhead is negligible, but if you're constantly dealing with the thousands of the saved objects that are encrypted and experiencing performance issues you may want to try to rotate encryption key for those objects. |
There was a problem hiding this comment.
Suggested change
| For the time being if you specify <<xpack-encryptedSavedObjects-keyRotation-decryptionOnlyKeys, decryption-only keys>> {kib} may try to use them all if it cannot decrypt the saved object using the primary encryption key. In most of the cases this overhead is negligible, but if you're constantly dealing with the thousands of the saved objects that are encrypted and experiencing performance issues you may want to try to rotate encryption key for those objects. | |
| If a saved object cannot be decrypted using the primary encryption key, then {kib} will attempt to decrypt it using the specified <<xpack-encryptedSavedObjects-keyRotation-decryptionOnlyKeys, decryption-only keys>>. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. |
There was a problem hiding this comment.
👍 The funny thing that the Webstorm built-in "spell checker" didn't like a large number of when I used initially, maybe it's too casual for the tech docs (I actually like a large number better because it's how it would be correct to write in my native language as well) 🙈
| ==== Response body | ||
|
|
||
| `total`:: | ||
| (number) Indicates the total number of _all_ saved objects with the encrypted attributes, irrespective to the key {kib} used for encryption. |
There was a problem hiding this comment.
Suggested change
| (number) Indicates the total number of _all_ saved objects with the encrypted attributes, irrespective to the key {kib} used for encryption. | |
| (number) Indicates the total number of _all_ encrypted saved objects (optionally filtered by the requested `type`), regardless of the key {kib} used for encryption. |
There was a problem hiding this comment.
Ugh, it seems I forgot to update this one, will do!
KOTungseth
reviewed
Oct 14, 2020
docs/api/saved-objects.asciidoc
Outdated
| @@ -28,6 +28,8 @@ The following saved objects APIs are available: | |||
|
|
|||
| * <<saved-objects-api-resolve-import-errors, Resolve import errors API>> to resolve errors from the import API | |||
|
|
|||
| * <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> to rotate encryption key for the saved objects with encrypted attributes | |||
There was a problem hiding this comment.
How about:
to rotate the encryption key...
or to rotate encryption keys...
| ==== Query parameters | ||
|
|
||
| `type`:: | ||
| (Optional, string) Limits encryption key rotation only to the saved objects with the specified type. By default, {kib} will try to rotate encryption key for all saved object types that may contain encrypted attributes. |
There was a problem hiding this comment.
Suggested change
| (Optional, string) Limits encryption key rotation only to the saved objects with the specified type. By default, {kib} will try to rotate encryption key for all saved object types that may contain encrypted attributes. | |
| (Optional, string) Limits encryption key rotation only to the saved objects with the specified type. By default, {kib} tries to rotate the encryption key for all saved object types that may contain encrypted attributes. |
| (Optional, string) Limits encryption key rotation only to the saved objects with the specified type. By default, {kib} will try to rotate encryption key for all saved object types that may contain encrypted attributes. | ||
|
|
||
| `batchSize`:: | ||
| (Optional, number) Specifies a maximum number of saved objects that {kib} can process in a single batch. Bulk key rotation is an iterative process since {kib} may not be able to fetch and process all required saved objects in one go and hence splits processing into consequent batches. By default, batch size is 10000 which is also a maximum allowed value. |
There was a problem hiding this comment.
Suggested change
| (Optional, number) Specifies a maximum number of saved objects that {kib} can process in a single batch. Bulk key rotation is an iterative process since {kib} may not be able to fetch and process all required saved objects in one go and hence splits processing into consequent batches. By default, batch size is 10000 which is also a maximum allowed value. | |
| (Optional, number) Specifies a maximum number of saved objects that {kib} can process in a single batch. Bulk key rotation is an iterative process since {kib} may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. |
| `successful`:: | ||
| (number) Indicates the number of the saved objects that were still encrypted with one of the old encryption keys and that {kib} successfully re-encrypted with the primary key. | ||
| + | ||
| NOTE: In most of the cases `total` will be greater than `successful` even if `failed` is zero. The reason is that {kib} may not need or may not be able to rotate encryption key for all saved objects with the encrypted attributes. |
There was a problem hiding this comment.
Suggested change
| NOTE: In most of the cases `total` will be greater than `successful` even if `failed` is zero. The reason is that {kib} may not need or may not be able to rotate encryption key for all saved objects with the encrypted attributes. | |
| NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that {kib} may not need or may not be able to rotate encryption keys for all saved objects with the encrypted attributes. |
| } | ||
| -------------------------------------------------- | ||
|
|
||
| The result indicates that the encryption key was successfully rotated for 300 out of 1000 saved objects with encrypted attributes, and 700 of the saved objects either didn't require key rotation or were encrypted with unknown encryption key. |
There was a problem hiding this comment.
Suggested change
| The result indicates that the encryption key was successfully rotated for 300 out of 1000 saved objects with encrypted attributes, and 700 of the saved objects either didn't require key rotation or were encrypted with unknown encryption key. | |
| The result indicates that the encryption key was successfully rotated for 300 out of 1000 saved objects with encrypted attributes, and 700 of the saved objects either didn't require key rotation, or were encrypted with an unknown encryption key. |
|
|
||
| [IMPORTANT] | ||
| ============================================================================ | ||
| We optimized default parameters for speed and don't expect you to change any of those without a strong need. However, if you're experiencing any issues with this API you may want to decrease a batch size or rotate encryption key for the specific types only. In this case you may need to run key rotation multiple times in a row. |
There was a problem hiding this comment.
Suggested change
| We optimized default parameters for speed and don't expect you to change any of those without a strong need. However, if you're experiencing any issues with this API you may want to decrease a batch size or rotate encryption key for the specific types only. In this case you may need to run key rotation multiple times in a row. | |
| Default parameters are optimized for speed. Change the parameters only when necessary. However, if you're experiencing any issues with this API, you may want to decrease a batch size or rotate the encryption keys for the specific types only. In this case, you may need to run key rotation multiple times in a row. |
| We optimized default parameters for speed and don't expect you to change any of those without a strong need. However, if you're experiencing any issues with this API you may want to decrease a batch size or rotate encryption key for the specific types only. In this case you may need to run key rotation multiple times in a row. | ||
| ============================================================================ | ||
|
|
||
| In this example we perform key rotation for all saved objects with the `alert` type in batches of 5000. |
There was a problem hiding this comment.
Suggested change
| In this example we perform key rotation for all saved objects with the `alert` type in batches of 5000. | |
| In this example, key rotation is performed for all saved objects with the `alert` type in batches of 5000. |
There was a problem hiding this comment.
Thanks! Was trying to fight passive voice with we and {kib} were possible :)
| [[security-encrypted-saved-objects-settings]] | ||
| ==== Encrypted saved objects settings | ||
|
|
||
| These settings control the encryption of saved objects with sensitive data. For more details see <<xpack-security-secure-saved-objects>>. |
There was a problem hiding this comment.
Suggested change
| These settings control the encryption of saved objects with sensitive data. For more details see <<xpack-security-secure-saved-objects>>. | |
| These settings control the encryption of saved objects with sensitive data. For more details, refer to <<xpack-security-secure-saved-objects>>. |
|
|
||
| [IMPORTANT] | ||
| ============ | ||
| In high-availability deployments make sure you use the same encryption and decryption keys for all instances of {kib}. Although the keys can be specified in clear text in `kibana.yml`, it's recommended to store them securely in the <<secure-settings,{kib} Keystore>>. |
There was a problem hiding this comment.
Suggested change
| In high-availability deployments make sure you use the same encryption and decryption keys for all instances of {kib}. Although the keys can be specified in clear text in `kibana.yml`, it's recommended to store them securely in the <<secure-settings,{kib} Keystore>>. | |
| In high-availability deployments, make sure you use the same encryption and decryption keys for all instances of {kib}. Although the keys can be specified in clear text in `kibana.yml`, it's recommended to store them securely in the <<secure-settings,{kib} Keystore>>. |
|
|
||
| | [[xpack-encryptedSavedObjects-keyRotation-decryptionOnlyKeys]] `xpack.encryptedSavedObjects.` | ||
| `keyRotation.decryptionOnlyKeys` | ||
| | An optional list of previously used encryption keys. Like <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>>, these must be at least 32 characters in length. As the name implies {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key. |
There was a problem hiding this comment.
Suggested change
| | An optional list of previously used encryption keys. Like <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>>, these must be at least 32 characters in length. As the name implies {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key. | |
| | An optional list of previously used encryption keys. Like <<xpack-encryptedSavedObjects-encryptionKey, `xpack.encryptedSavedObjects.encryptionKey`>>, these must be at least 32 characters in length. {kib} doesn't use these keys for encryption, but may still require them to decrypt some existing saved objects. Use this setting if you wish to change your encryption key, but don't want to lose access to saved objects that were previously encrypted with a different key. |
gchaps
reviewed
Oct 14, 2020
| [[xpack-security-secure-saved-objects]] | ||
| === Secure saved objects | ||
|
|
||
| {kib} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as *saved objects*, which are kept in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. |
There was a problem hiding this comment.
Suggested change
| {kib} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as *saved objects*, which are kept in a dedicated internal {es} index. If such an object includes any sensitive information, for example a PagerDuty’s integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. | |
| {kib} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal {es} index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, {kib} encrypts it and makes sure it cannot be accidentally leaked or tampered with. |
|
|
||
| Example `kibana.yml`: | ||
|
|
||
| [IMPORTANT] |
There was a problem hiding this comment.
Move this note below the code box.
|
|
||
| [IMPORTANT] | ||
| ============================================================================ | ||
| If you don't specify encryption key {kib} will generate a random one automatically at startup time. That means every time you restart {kib} it will use a new ephemeral encryption key and won't be able to decrypt saved objects encrypted with another key. To prevent data loss, {kib} may disable features which rely on this encryption until you explicitly set an encryption key. |
There was a problem hiding this comment.
Suggested change
| If you don't specify encryption key {kib} will generate a random one automatically at startup time. That means every time you restart {kib} it will use a new ephemeral encryption key and won't be able to decrypt saved objects encrypted with another key. To prevent data loss, {kib} may disable features which rely on this encryption until you explicitly set an encryption key. | |
| If you don't specify an encryption key, {kib} automatically generates a random key at startup. Every time you restart {kib}, it uses a new ephemeral encryption key and is unable to decrypt saved objects encrypted with another key. To prevent data loss, {kib} might disable features that rely on this encryption until you explicitly set an encryption key. |
| [[encryption-key-rotation]] | ||
| ==== Encryption key rotation | ||
|
|
||
| Many policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and hence limit the potential damage in case the key is compromised. {kib} allows you to rotate encryption keys whenever there is a need. |
There was a problem hiding this comment.
Suggested change
| Many policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and hence limit the potential damage in case the key is compromised. {kib} allows you to rotate encryption keys whenever there is a need. | |
| Many policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and therefore limit the potential damage if the key is compromised. {kib} allows you to rotate encryption keys whenever there is a need. |
|
|
||
| Many policies and best practices stipulate that encryption keys should be periodically rotated to decrease the amount of content encrypted with one key and hence limit the potential damage in case the key is compromised. {kib} allows you to rotate encryption keys whenever there is a need. | ||
|
|
||
| As a rule of thumb, when you change an encryption key you still keep the old one for some time. While {kib} will only use a new encryption key to encrypt all new and updated data it still may need to know the old one to decrypt data that was encrypted using that old key. Moreover, it's perfectly possible to have multiple old keys used only for decryption. It's worth noting that {kib} doesn't re-encrypt existing saved objects with the new encryption key automatically, re-encryption only happens when you update existing object or use <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>>. |
There was a problem hiding this comment.
Suggested change
| As a rule of thumb, when you change an encryption key you still keep the old one for some time. While {kib} will only use a new encryption key to encrypt all new and updated data it still may need to know the old one to decrypt data that was encrypted using that old key. Moreover, it's perfectly possible to have multiple old keys used only for decryption. It's worth noting that {kib} doesn't re-encrypt existing saved objects with the new encryption key automatically, re-encryption only happens when you update existing object or use <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>>. | |
| When you change an encryption key, keep the old one for some time. Although {kib} only uses a new encryption key to encrypt all new and updated data, it still may need the old one to decrypt data that was encrypted using the old key. It's possible to have multiple old keys used only for decryption. {kib} doesn't automatically re-encrypt existing saved objects with the new encryption key. Re-encryption only happens when you update existing objects or use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>>. |
There was a problem hiding this comment.
As a rule of thumb, when you change an encryption key you still keep the old one for some time. ---> When you change an encryption key, keep the old one for some time. this one is a bit tricky, we don't want to force/recommend and be responsible for that decision, we just say it's usually done like this. But there could be cases when encryption key leaks, data encrypted with it was tampered with something malicious and users really don't want these objects to be decrypted and used for whatever purpose in production. That means old keys should just be disposed immediately. We cannot also call this out specifically since their Security team should know what would be appropriate in their particular case.
@gchaps can you please suggest the appropriate language/tone for this?
There was a problem hiding this comment.
This makes the sentence stronger:
When you change an encryption key, be sure to keep the old one for some time.
|
|
||
| As a rule of thumb, when you change an encryption key you still keep the old one for some time. While {kib} will only use a new encryption key to encrypt all new and updated data it still may need to know the old one to decrypt data that was encrypted using that old key. Moreover, it's perfectly possible to have multiple old keys used only for decryption. It's worth noting that {kib} doesn't re-encrypt existing saved objects with the new encryption key automatically, re-encryption only happens when you update existing object or use <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>>. | ||
|
|
||
| Here is how your `kibana.yml` can look like if you want to use key rotation functionality: |
There was a problem hiding this comment.
Suggested change
| Here is how your `kibana.yml` can look like if you want to use key rotation functionality: | |
| Here is how your `kibana.yml` might look if you use key rotation functionality: |
| decryptionOnlyKeys: ["min-32-byte-long-OLD#1-encryption-key", "min-32-byte-long-OLD#2-encryption-key"] <2> | ||
| -------------------------------------------------------------------------------- | ||
|
|
||
| <1> Encryption key {kib} will use to encrypt all new or updated saved objects, known as the primary encryption key. |
There was a problem hiding this comment.
Suggested change
| <1> Encryption key {kib} will use to encrypt all new or updated saved objects, known as the primary encryption key. | |
| <1> The encryption key {kib} will use to encrypt all new or updated saved objects. This is known as the primary encryption key. |
| -------------------------------------------------------------------------------- | ||
|
|
||
| <1> Encryption key {kib} will use to encrypt all new or updated saved objects, known as the primary encryption key. | ||
| <2> A list of encryption keys {kib} will try to use only to decrypt existing saved objects if decryption with the primary encryption key isn't possible, known as decryption-only or secondary encryption keys. |
There was a problem hiding this comment.
Suggested change
| <2> A list of encryption keys {kib} will try to use only to decrypt existing saved objects if decryption with the primary encryption key isn't possible, known as decryption-only or secondary encryption keys. | |
| <2> A list of encryption keys {kib} will try to use to decrypt existing saved objects if decryption with the primary encryption key isn't possible. These keys are known as the decryption-only or secondary encryption keys. |
|
|
||
| [NOTE] | ||
| ============================================================================ | ||
| You may also leverage this functionality if, by mistake, you ended up with multiple {kib} instances connected to the same {es} cluster that use different encryption keys. In this case you may have a mix of saved objects encrypted with different keys and every {kib} instance can deal only with a specific subset of objects. To fix this you'll need to choose a single primary encryption key for `xpack.encryptedSavedObjects.encryptionKey`, move all other encryption keys to `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys` and sync this configuration across all {kib} instances. |
There was a problem hiding this comment.
Suggested change
| You may also leverage this functionality if, by mistake, you ended up with multiple {kib} instances connected to the same {es} cluster that use different encryption keys. In this case you may have a mix of saved objects encrypted with different keys and every {kib} instance can deal only with a specific subset of objects. To fix this you'll need to choose a single primary encryption key for `xpack.encryptedSavedObjects.encryptionKey`, move all other encryption keys to `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys` and sync this configuration across all {kib} instances. | |
| You might also leverage this functionality if multiple {kib} instances connected to the same {es} cluster use different encryption keys. In this case, you might have a mix of saved objects encrypted with different keys, and every {kib} instance can only deal with a specific subset of objects. To fix this, you must choose a single primary encryption key for `xpack.encryptedSavedObjects.encryptionKey`, move all other encryption keys to `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`, and sync this configuration across all {kib} instances. |
| You may also leverage this functionality if, by mistake, you ended up with multiple {kib} instances connected to the same {es} cluster that use different encryption keys. In this case you may have a mix of saved objects encrypted with different keys and every {kib} instance can deal only with a specific subset of objects. To fix this you'll need to choose a single primary encryption key for `xpack.encryptedSavedObjects.encryptionKey`, move all other encryption keys to `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys` and sync this configuration across all {kib} instances. | ||
| ============================================================================ | ||
|
|
||
| At some point you may want to dispose old encryption keys completely, but before that you should make sure there are no saved objects left that {kib} encrypted with the encryption key you're going to dispose. You can use <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> for that purpose. It will figure out which existing saved objects still require decryption-only keys and re-encrypt them with the primary key. |
There was a problem hiding this comment.
Suggested change
| At some point you may want to dispose old encryption keys completely, but before that you should make sure there are no saved objects left that {kib} encrypted with the encryption key you're going to dispose. You can use <<saved-objects-api-rotate-encryption-key, Rotate encryption key API>> for that purpose. It will figure out which existing saved objects still require decryption-only keys and re-encrypt them with the primary key. | |
| At some point you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. |
|
Thanks for the great feedback @legrego @KOTungseth @gchaps! PR should be ready for another pass. @gchaps I've left one question for you, would you mind taking a look? |
gchaps
approved these changes
Oct 15, 2020
| You might also leverage this functionality if multiple {kib} instances connected to the same {es} cluster use different encryption keys. In this case, you might have a mix of saved objects encrypted with different keys, and every {kib} instance can only deal with a specific subset of objects. To fix this, you must choose a single primary encryption key for `xpack.encryptedSavedObjects.encryptionKey`, move all other encryption keys to `xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys`, and sync this configuration across all {kib} instances. | ||
| ============================================================================ | ||
|
|
||
| At some point you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. |
There was a problem hiding this comment.
Suggested change
| At some point you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. | |
| At some point you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. |
Suggested change
| At some point you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. | |
| At some point, you might want to dispose of old encryption keys completely. Make sure there are no saved objects that {kib} encrypted with these encryption keys. You can use the <<saved-objects-api-rotate-encryption-key, rotate encryption key API>> to determine which existing saved objects require decryption-only keys and re-encrypt them with the primary key. |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 19, 2020
* master: (43 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 19, 2020
* master: (23 commits) [ML] Transforms: Fix tab ids for expanded row. (elastic#80666) server logs config paths to use for runner (elastic#52980) Fix audit logger logging to console even when disabled (elastic#80928) skip flaky suite (elastic#80929) Added Enterprise Search config to kibana-docker (elastic#80872) skip flaky suite (elastic#80914) [keystore_cli] parse values as JSON before adding to keystore (elastic#80848) [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742) ECS audit logging (elastic#74640) [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215) [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854) Move renderHeaderActions back into mount useEffect + update tests (elastic#80861) [Reporting] Document Network Policy configuration (elastic#80431) [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782) Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757) [Actions] Back Button on Add Connector Flyout (elastic#80160) removing `kibana_datatable` in favor of `datatable` (elastic#80548) [Alerting UI] Updating 'Add new' wording (elastic#80509) [Docs] Document Encrypted Saved Objects functionality. (elastic#80183) [Discover] fix auto-refresh (elastic#80635) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Document Encrypted Saved Objects functionality.
Preview: