openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
Check the return code of the command to make sure it completed successfully:
if [[ $? -ne 0 ]]; then
echo "Did not receive the expected return code"
fi
Generate an RSA key pair, then set the following parameters, either as environment variables or in kong.conf
:
keyring_enabled = on
keyring_strategy = cluster
keyring_recovery_public_key = /path/to/public.pem
These keys are needed for disaster recovery. You can generate them using OpenSSL:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
Check the return code of the command to make sure it completed successfully:
if [[ $? -ne 0 ]]; then
echo "Did not receive the expected return code"
fi
Set the variables needed to start Kong Gateway with Keyring enabled. Since the Keyring feature requires a Kong Gateway Enterprise license, make sure to include it in the environment too.
export KONG_LICENSE_DATA="LICENSE-CONTENTS-GO-HERE"
export KONG_KEYRING_ENABLED="true"
export KONG_KEYRING_STRATEGY="cluster"
export KONG_KEYRING_RECOVERY_PUBLIC_KEY="$(cat public.pem | base64 -w 0)"
export KONG_LICENSE_DATA="LICENSE-CONTENTS-GO-HERE"
export KONG_KEYRING_ENABLED="true"
export KONG_KEYRING_STRATEGY="cluster"
export KONG_KEYRING_RECOVERY_PUBLIC_KEY="$(cat public.pem | base64 -w 0)"
Note:
KONG_KEYRING_RECOVERY_PUBLIC_KEY
can be:
- The absolute path to the generated public key file
- The public key content
- The base64-encoded public key content
Create the Kong Gateway container with the environment variables. In this example, we can use the quickstart:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA \
-e KONG_KEYRING_ENABLED \
-e KONG_KEYRING_STRATEGY \
-e KONG_KEYRING_RECOVERY_PUBLIC_KEY
Check the return code of the command to make sure it completed successfully:
if [[ $? -ne 0 ]]; then
echo "Did not receive the expected return code"
fi
Using the Admin API, generate a new key in the Keyring:
curl -X POST "http://localhost:8001/keyring/generate" \
-H "Accept: application/json"
You will get a 201 Created
response with the key and key ID. The generated key will now be used to encrypt sensitive fields in the database.
To validate that it’s working, you can create a plugin with data in an encrypted field, and then check the database to make sure the data is encrypted.
For example, the config.auth.header_value
parameter in AI Proxy is encrypted:
echo '
_format_version: "3.0"
plugins:
- name: ai-proxy
config:
route_type: llm/v1/chat
auth:
header_name: Authorization
header_value: Bearer my-openai-token
model:
provider: openai
name: gpt-4
options:
max_tokens: 512
temperature: 1.0
' | deck gateway apply -
When you create this plugin while Keyring is enabled, the value of config.auth.header_value
will be encrypted in the database. You can check the plugins
table in the Kong database to make sure it’s encrypted.
docker exec -it kong-quickstart-database sh
kong
:
psql -U kong
plugins
table. With this query, we’ll look for the value of config.auth.header_value
for the ai-proxy
plugin:
SELECT "config" -> 'auth' -> 'header_value' FROM public.plugins WHERE "name" = 'ai-proxy';
The value returned should be encrypted.
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d