1. Transaction Manager for Microservices Developer Guide
  2. Prepare
  3. Prepare a Kubernetes Cluster
  4. Authenticate and Authorize
  5. Generate a Kubernetes Secret for an Encryption Key

3.4.7.1 Generate a Kubernetes Secret for an Encryption Key

To support asynchronous calls, MicroTx stores the authorization and refresh tokens. To store the tokens, you have to encrypt it as you can't store the token directly. To encrypt the tokens, create encryption keys.

MicroTx encrypts the tokens using the encryption keys that you provide. When there is an asynchronous call from MicroTx to participant services, MicroTx fetches the encrypted token, decrypts it, and then attaches the token to the authorization header.
You must generate an encryption key, and then add the key to a Docker secret if you have enabled the authTokenPropagationEnabled property under authorization. The encryption key that you generate must have the following attributes.
  • Symmetric algorithm: AES-256
  • Cipher mode: AES in GCM mode
  • Key length: 32 bytes
  • Length of initialization vectors: 96 bits

MicroTx encrypts the access and refresh tokens, and then uses it later while making calls to participant services. For each transaction, MicroTx generates a new value for the initialization vectors. Each transaction record contains the encrypted metadata information, such as key version and initialization vector value.

  1. Run the following command to generate an encryption key with a key length of 32 bytes.
    openssl rand -hex 16
    Note down the value that is generated. For example, e9f0adab17c0180425147166c2ff1cd3.
  2. Create a Kubernetes secret while using the encrypted key that you have generated as the value. You must create this secret in the namespace where you want to install MicroTx.

    The following sample command creates a Kubernetes secret with the name encryption-secret-key1 in the otmm namespace. 

    kubectl create secret generic encryption-secret-key1 \ --from-literal=secret='e9f0adab17c0180425147166c2ff1cd3' -n otmm
  3. Note down the name of the Kubernetes secret and its version. You will provide these values to for the secretKeyName and version fields in the values.yaml file.

    The following code snippet provides sample values for the encryption field in the values.yaml file. The sample values in this example are based on the values used in the sample commands in this topic. 

    encryption:
  encryptionSecretKeyVersion: "1"
  encryptionSecretKeys:
      - secretKeyName: "encryption-secret-key0"
        version: "0"
      - secretKeyName: " encryption-secret-key1"
        version: "1"

Parent topic: Authenticate and Authorize