Encrypt sensitive data in Kong Gateway with a Keyring
Generate an RSA key pair, then set the following parameters, either as environment variables or in kong.conf:
keyring_enabled = on
keyring_strategy = cluster
keyring_recovery_public_key = /path/to/public.pem
Generate an RSA key pair
These keys are needed for disaster recovery. You can generate them using OpenSSL:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
Set environment variables
Set the variables needed to start Kong Gateway with Keyring enabled. Since the Keyring feature requires a Kong Gateway Enterprise license, make sure to include it in the environment too.
export KONG_LICENSE_DATA="LICENSE-CONTENTS-GO-HERE"
export KONG_KEYRING_ENABLED=on
export KONG_KEYRING_STRATEGY=cluster
export KONG_KEYRING_RECOVERY_PUBLIC_KEY=$(cat public.pem | base64)
Note:
KONG_KEYRING_RECOVERY_PUBLIC_KEYcan be:
- The absolute path to the generated public key file
- The public key content
- The base64-encoded public key content
Start Kong Gateway
Create the Kong Gateway container with the environment variables. In this example, we can use the quickstart:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA \
-e KONG_KEYRING_ENABLED \
-e KONG_KEYRING_STRATEGY \
-e KONG_KEYRING_RECOVERY_PUBLIC_KEY
Generate a key
Using the Admin API, generate a new key in the Keyring:
curl -X POST "http://localhost:8001/keyring/generate" \
-H "Accept: application/json"
You will get a 201 Created response with the key and key ID. The generated key will now be used to encrypt sensitive fields in the database.
Validate
Create a plugin
To validate that it’s working, you can create a plugin with data in an encrypted field, and then check the database to make sure the data is encrypted.
For example, the config.auth.header_value parameter in AI Proxy is encrypted:
echo '
_format_version: "3.0"
plugins:
- name: ai-proxy
config:
route_type: llm/v1/chat
auth:
header_name: Authorization
header_value: Bearer my-openai-token
model:
provider: openai
name: gpt-4
options:
max_tokens: 512
temperature: 1.0
' | deck gateway apply -
When you create this plugin while Keyring is enabled, the value of config.auth.header_value will be encrypted in the database. You can check the plugins table in the Kong database to make sure it’s encrypted.
Query the database
- Open an interactive shell in the database container:
docker exec -it kong-quickstart-database sh - Connect to the database. With the quickstart, you only need to specify the username
kong:psql -U kong - Query the
pluginstable. With this query, we’ll look for the value ofconfig.auth.header_valuefor theai-proxyplugin:SELECT "config" -> 'auth' -> 'header_value' FROM public.plugins WHERE "name" = 'ai-proxy';
The value returned should be encrypted.
Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d