config decrypt

Command: boundary config decrypt

The config decrypt command decrypts sensitive values in a Boundary configuration file. You must mark these values with {{decrypt()}} as appropriate, for example: key = {{decrypt(encrypted_value)}}.

Examples

The following command overwrites the existing configuration file using the -overwrite flag:

$ boundary config decrypt -overwrite config.hcl

In order for this command to perform its task, you must define a "kms" block within the configuration file:

kms "aead" {
   purpose = "config"
   aead_type = "aes-gcm"
   key = "7xtkEoS5EXPbgynwd+dDLHopaCqK8cq0Rpep4eooaTs="
}

You can define the "kms" block in the configuration file or using the -config flag. If you define it in the configuration file, only string parameters are supported, and the markers must be inside the quotation marks that delimit the string. Additionally, if you define the block inline, do not use an "aead" block with the key defined in the configuration file, as it provides no protection.

Usage

$ boundary config decrypt [options] [args]

Command options

• -config (string: "") - The configuration file to decrypt.

• -config-kms (string: "") - If set, the given file is parsed for a "kms" block with purpose config to determine whether it should be used to perform the command. If you do not configure this value, the command expects a block to be defined inline with the configuration file, and will only be able to support quoted string parameters.

• -overwrite - If set, overwrites the existing file. The default value is false.

• -strip - If set, strips the declarations from the file afterwards. The default value is false.