Encrypting configuration variables and creating a new master key file

The Link comes with a default master key file (MKF) that contains a cipher key. However, the administrator can create a new MKF to generate a fresh cipher key to ensure that the key is known to none other than only the authorized people.

Before you begin

Install the HIP Link and the Runtime Server.

About this task

The administrator creates a master key file to generate a new cipher key instead of continuing to use the default one.

To create a master key file for generating a new cipher key, follow the steps below:

Procedure

  1. On Linux, run the setup script in the Install directory to initialize the HIP runtime environment. On Windows, if the administrator has kept the DTXHOME in the PATH or if the admin has run the createmkf command from the installation location, then the HIP runtime environment is already initialized.
  2. On Linux, to generate a random cipher key, run createmkf.sh without a passphrase. On Windows, to generate a random cipher key, run createmkf.bat without a passphrase.
    Alternatively, to be able to reproduce the cipher key in case the master key file becomes corrupt or gets accidentally deleted in future; use the -passphrase option to type a passphrase.
    Note: If the passphrase has space in between the words, enclose the entire passphrase within double quotes. The master key file name can be any valid filename.
  3. To use the new master key file for Link configuration variables, keep the master key file on the host where Docker runs the Link.
    Note: Place the MKF file in the same location where the HIP_FILE_DIR environment variable is defined in the hip-server.env file so the Link can directly access it.
  4. Set the HIP_MKF_LOCATION environment variable in the hip-server.env file to the location and file name where Link can find the master key file.
    For example, the administrator can define the HIP_FILE_DIR as /opt/data/hipfiles, and define the HIP_MKF_LOCATION as /opt/data/hipfiles/configvars.mkf. This way, the master key file can be accessed from the Link as well as the host that runs the Link.
  5. If the administrator has installed the Link for configuration variables already, then re-run the install.sh script for the Link to call the new master key file. If the administrator wants to reinstall the Link
    • Run stop.sh script to stop the Link, then run clean.sh script to uninstall, and then run the install.sh script to reinstall. Start HCL Link for configuration variables to start using the new master key file.