Key Management
Config Server 可以使用对称(共享)密钥或非对称(RSA 密钥对)密钥。非对称密钥在安全方面更为出色,但使用对称密钥通常更方便,因为它是在 application.properties 中配置的单个属性值。
The Config Server can use a symmetric (shared) key or an asymmetric one (RSA key pair).
The asymmetric choice is superior in terms of security, but it is often more convenient to use a symmetric key since it is a single property value to configure in the application.properties.
若要配置对称密钥,你需要将 encrypt.key 设置为秘密字符串(或使用 ENCRYPT_KEY 环境变量将其保留在纯文本配置之外)。
To configure a symmetric key, you need to set encrypt.key to a secret String (or use the ENCRYPT_KEY environment variable to keep it out of plain-text configuration files).
|
如果您在类路径中包含 |
|
If you include |
|
您不能使用 |
|
You cannot configure an asymmetric key using |
若要配置非对称密钥,请使用密钥库(例如,JDK 附带的 keytool 实用工具创建的密钥库)。Keystore 属性为 encrypt.keyStore.,其中 等于:
To configure an asymmetric key use a keystore (e.g. as
created by the keytool utility that comes with the JDK). The
keystore properties are encrypt.keyStore. with equal to
| Property | Description |
|---|---|
|
Contains a |
|
Holds the password that unlocks the keystore |
|
Identifies which key in the store to use |
|
The type of KeyStore to create. Defaults to |
使用公钥进行加密,并且解密需要私钥。因此,原则上,如果你只想进行加密(并且准备使用私钥在本地解密值),则你只能在服务器中配置公钥。在实践中,你可能不想在本地进行解密,因为它会将密钥管理过程分散到所有客户端,而不是将其集中在服务器中。另一方面,如果你的配置服务器相对不安全,而且只有少数客户端需要加密的属性,则它可能是一个有用的选择。
The encryption is done with the public key, and a private key is needed for decryption. Thus, in principle, you can configure only the public key in the server if you want to only encrypt (and are prepared to decrypt the values yourself locally with the private key). In practice, you might not want to do decrypt locally, because it spreads the key management process around all the clients, instead of concentrating it in the server. On the other hand, it can be a useful option if your config server is relatively insecure and only a handful of clients need the encrypted properties.