Boundary
config encrypt
Command: boundary config encrypt
The config encrypt
command encrypts sensitive values in a Boundary
configuration file. You must mark these values with {{encrypt()}}
as
appropriate, for example: key = {{encrypt(key_value)}}
.
Examples
The following command overwrites the existing configuration file use the -overwrite
flag:
$ boundary config encrypt -overwrite config.hcl
In order for this command to perform its task, you must define a "kms" block within a configuration file:
kms "aead" {
purpose = "config"
aead_type = "aes-gcm"
key = "7xtkEoS5EXPbgynwd+dDLHopaCqK8cq0Rpep4eooaTs="
}
You can define the "kms" block in the configuration file or using the -config
flag. If you define it in the configuration file, only string parameters are
supported, and the markers must be inside the quotation marks that delimit the string.
Additionally, if you define the block inline, do not use an "aead" block with
the key defined in the configuration file as it provides no protection.
Usage
$ boundary config encrypt [options] [args]
Command options
-config
(string: "")
- The configuration file to encrypt.-config-kms
(string: "")
- If set, the given file is parsed for a "kms" block with purposeconfig
to determine whether it should be used to perform the command. If you do not configure this value, the command expects a block to be defined inline with the configuration file, and will only be able to support quoted string parameters.-overwrite
- If set, overwrites the existing file. The default value isfalse
.-strip
- If set, strips the declarations from the file afterwards. The default value isfalse
.
CLI options
In addition to the command specific options, there are options common to all CLI commands and subcommands: