Using Multiple Keys and Key Rotation

除了加密属性值中的 {cipher} 前缀外，Config Server 还会在（Base64 编码）密码文本开始前查找零个或多个 {name:value} 前缀。这些键将传递给 TextEncryptorLocator，该定位器可以执行任何逻辑，以找到密码的 TextEncryptor。如果你已配置密钥库（encrypt.keystore.location），则默认定位器使用 key 前缀提供别名的密钥，密码文本类似于以下内容：

In addition to the {cipher} prefix in encrypted property values, the Config Server looks for zero or more {name:value} prefixes before the start of the (Base64 encoded) cipher text. The keys are passed to a TextEncryptorLocator, which can do whatever logic it needs to locate a TextEncryptor for the cipher. If you have configured a keystore (encrypt.keystore.location), the default locator looks for keys with aliases supplied by the key prefix, with a cipher text like resembling the following:

foo:
  bar: `\{cipher}{key:testkey}...`

定位器查找名为 "testkey" 的密钥。还可以使用前缀中的 {secret:…} 值提供秘密。然而，如果没有提供，则默认使用密钥库密码（这是你在构建密钥库时获得的内容，并且没有指定秘密）。如果你确实提供了秘密，则还应该使用自定义 SecretLocator 对其进行加密。

The locator looks for a key named "testkey". A secret can also be supplied by using a {secret:…} value in the prefix. However, if it is not supplied, the default is to use the keystore password (which is what you get when you build a keystore and do not specify a secret). If you do supply a secret, you should also encrypt the secret using a custom SecretLocator.

当密钥仅用于加密配置数据的少量字节时（即，它们不会在其他地方使用），基于密码学原理几乎不需要密钥轮换。然而，你可能偶尔需要更改密钥（例如，在安全漏洞事件时）。在这种情况下，所有客户端都需要更改它们的源配置文件（例如，在 git 中）并在所有密码中使用新的 {key:…} 前缀。请注意，客户端需要首先检查密钥别名在 Config Server 密钥库中是否可用。

When the keys are being used only to encrypt a few bytes of configuration data (that is, they are not being used elsewhere), key rotation is hardly ever necessary on cryptographic grounds. However, you might occasionally need to change the keys (for example, in the event of a security breach). In that case, all the clients would need to change their source config files (for example, in git) and use a new {key:…} prefix in all the ciphers. Note that the clients need to first check that the key alias is available in the Config Server keystore.

如果您希望配置服务器处理所有加密和解密，则 {name:value} 前缀还可以作为纯文本发布到 /encrypt 端点。

If you want to let the Config Server handle all encryption as well as decryption, the {name:value} prefixes can also be added as plain text posted to the /encrypt endpoint.