Skip to main content

Configuring the Security Parameters

Step 6: Server config - security parameters

In this step we show how to configure the OPAL server security parameters.

Declaring these parameters and passing them to OPAL server will cause the server to run in secure mode, which means client identity verification will be active. All the values in this section are sensitive, in production you should place them in a secrets store.

When should I run in secure mode?

In a dev environment, secure mode is optional and you can skip this section.

However, in production environments you should run in secure mode.

1) Generating encryption keys

Using a utility like ssh-keygen we can easily generate the keys (on Windows try SSH-keys Windows guide).

ssh-keygen -t rsa -b 4096 -m pem

follow the instructions to save the keys to two files.

2) Place encryption keys in environment variables

Env Var NameFunction
OPAL_AUTH_PRIVATE_KEY
  • Content of the var is a private crypto key (i.e: SSH key)
  • The private key is usually found in id_rsa or a similar file

  • The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with _)

OPAL_AUTH_PUBLIC_KEY
  • Content of the var is a public crypto key (i.e: SSH key)
  • The public key is usually found in id_rsa.pub or a similar file

  • The passed value must be the contents of the SSH key in one line.

  • Usually public keys already fit into one line. If not, encoding is same as for the private key (replace new-line with underscore, i.e: \n with _).

Example values:

If your private key looks like this (we redacted most of the key)

-----BEGIN OPENSSH PRIVATE KEY-----
XXX...
...
...XXX==
-----END OPENSSH PRIVATE KEY-----

Declare it like this (notice how we simply replace new lines with underscores):

export OPAL_AUTH_PRIVATE_KEY=-----BEGIN OPENSSH PRIVATE KEY-----_XXX..._..._...XXX==_-----END OPENSSH PRIVATE KEY-----

For public keys, it should be something like this:

export OPAL_AUTH_PUBLIC_KEY=ssh-rsa XXX ... XXX== some@one.com

3) Configuring the master token

You can choose any secret you'd like, but as we've showed you before, the OPAL CLI can be used to generate cryptographically strong secrets easily.

opal-server generate-secret

You must then configure the master token like so

Env Var NameFunction
OPAL_AUTH_MASTER_TOKENthe master token generated by the cli (or any other secret you pick)

Ensure LOG_DIAGNOSE is set to False to disable diagnostic logging that may expose sensitive information.