Context
Problem
How can Aerospike retrieve an encryption key from an external secrets store when configuring device encryption?
Context
Aerospike Secret Agent provides a unified interface for integrating external secrets stores with Aerospike. It allows Aerospike configuration parameters (such as encryption keys or TLS passwords) to be retrieved securely from supported secret management systems instead of storing them directly in the aerospike.conf file.
Supported secret backends include systems such as HashiCorp Vault, Kubernetes Secrets, and file-based secrets.
Method
When using Secret Agent, configuration parameters that normally reference a file or value can instead use the special `secret:` syntax.
For example, the `encryption-key-file` parameter can reference a secret managed by Secret Agent:
namespace test {
replication-factor 2
memory-size 2G
storage-engine device {
device /dev/sdc
encryption-key-file secret:<resource-name>:<secret-key>
encryption aes-256
}
}- <resource-name> is the resource defined in the Secret Agent configuration.
- <secret-key> is the specific key or value retrieved from that resource.
At runtime, Aerospike will request the secret from the locally running Secret Agent service.
Prerequisites
- Aerospike Secret Agent must be installed and running.
- The secret resource must be configured in the Secret Agent configuration file.
- The referenced key must exist within the configured resource.
For details on supported configuration parameters and the `secret:` syntax, see:
https://aerospike.com/docs/server/operations/configure/security/secrets