We are trying to figure out how Rancher Secrets could be used to improve security for a couple of Rancher environments that we are planning to set up. I’ve read the information at Rancher Secrets and after also reviewing much of the code think that I pretty much understand now how it works (both using AES encryption and using Vault). What I haven’t found out yet is whether there is a way to change the name of the encryption key (by default: “rancher”) to something else, ideally scoped by environment (“rancher-dev”, “rancher-staging”, “rancher-prod”, …). I noticed that the key name is a DynamicStringProperty in cattle, but have got no idea how I would change that per environment.
The Rancher Secrets API hosted with the Rancher Server uses the Key Name to reference the encryption key used by the AES encryption or Vault:
- If using the localkey backend (AES encryption), the environment variable
ENC_KEY_PATHspecifies the folder name where encryption keys are stored, and the Key Name specifies the file name containing the encryption key.
- If using the vault backend (using Vault’s Transit backend), the environment variable
VAULT_ADDRspecifies the URL of the Vault Server and
VAULT_TOKENspecifies the access token used to access the Vault Transit encryption key who’s name is Key Name.
Since the environment variables above are Rancher (Secrets API) Server variables, they are used for all environments managed by the Rancher Server. Therefore it would be great, if the Key Name could be set per environment, so that someone with access to a development environment for example would not be able to decrypt a key encrypted in the production environment. It would also allow different access rules to be applied to the encryption key in Vault.