1
0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
authelia/docs/configuration/secrets.md
James Elliott 347bd1be77
feat(storage): encrypted secret values ()
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes 
2021-11-25 12:56:58 +11:00

12 KiB

layout title parent nav_order
default Secrets Configuration 11

Secrets

Configuration of Authelia requires some secrets and passwords. Even if they can be set in the configuration file or standard environment variables, the recommended way to set secrets is to use environment variables as described below.

Environment variables

A secret value can be loaded by Authelia when the configuration key ends with one of the following words: key, secret, password, or token.

If you take the expected environment variable for the configuration option with the _FILE suffix at the end. The value of these environment variables must be the path of a file that is readable by the Authelia process, if they are not, Authelia will fail to load. Authelia will automatically remove the newlines from the end of the files contents.

For instance the LDAP password can be defined in the configuration at the path authentication_backend.ldap.password, so this password could alternatively be set using the environment variable called AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE.

Here is the list of the environment variables which are considered secrets and can be defined. Please note that only secrets can be loaded into the configuration if they end with one of the suffixes above, you can set the value of any other configuration using the environment but instead of loading a file the value of the environment variable is used.

Configuration Key Environment Variable
tls_key AUTHELIA_TLS_KEY_FILE
jwt_secret AUTHELIA_JWT_SECRET_FILE
duo_api.secret_key AUTHELIA_DUO_API_SECRET_KEY_FILE
session.secret AUTHELIA_SESSION_SECRET_FILE
session.redis.password AUTHELIA_SESSION_REDIS_PASSWORD_FILE
session.redis.high_availability.sentinel_password AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
storage.encryption_key AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
storage.mysql.password AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
storage.postgres.password AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
notifier.smtp.password AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
authentication_backend.ldap.password AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
identity_providers.oidc.issuer_private_key AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
identity_providers.oidc.hmac_secret AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE

Secrets in configuration file

If for some reason you decide on keeping the secrets in the configuration file, it is strongly recommended that you ensure the permissions of the configuration file are appropriately set so that other users or processes cannot access this file. Generally the UNIX permissions that are appropriate are 0600.

Secrets exposed in an environment variable

In all versions 4.30.0+ you can technically set secrets using the environment variables without the _FILE suffix by setting the value to the value you wish to set in configuration, however we strongly urge people not to use this option and instead use the file-based secrets above.

Prior to implementing file secrets the only way you were able to define secret values was either via configuration or via environment variables in plain text.

See this article for reasons why setting them via the file counterparts is highly encouraged.

Docker

Secrets can be provided in a docker-compose.yml either with Docker secrets or bind mounted secret files, examples of these are provided below.

Compose with Docker secrets

This example assumes secrets are stored in /path/to/authelia/secrets/{secretname} on the host and are exposed with Docker secrets in a docker-compose.yml file:

version: '3.8'

networks:
  net:
    driver: bridge

secrets:
  jwt:
    file: /path/to/authelia/secrets/jwt
  duo:
    file: /path/to/authelia/secrets/duo
  session:
    file: /path/to/authelia/secrets/session
  redis:
    file: /path/to/authelia/secrets/redis
  mysql:
    file: /path/to/authelia/secrets/mysql
  smtp:
    file: /path/to/authelia/secrets/smtp
  ldap:
    file: /path/to/authelia/secrets/ldap

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    secrets:
      - jwt
      - duo
      - session
      - redis
      - mysql
      - smtp
      - ldap
    volumes:
      - /path/to/authelia:/config
    networks:
      - net
    expose:
      - 9091
    restart: unless-stopped
    environment:
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
      - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/run/secrets/redis
      - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/mysql
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/ldap
      - TZ=Australia/Melbourne

Compose with bind mounted secret files

This example assumes secrets are stored in /path/to/authelia/secrets/{secretname} on the host and are exposed with bind mounted secret files in a docker-compose.yml file at /config/secrets/:

version: '3.8'

networks:
  net:
    driver: bridge

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - /path/to/authelia:/config
    networks:
      - net
    expose:
      - 9091
    restart: unless-stopped
    environment:
      - AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt
      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/config/secrets/duo
      - AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
      - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis
      - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/mysql
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap
      - TZ=Australia/Melbourne

Kubernetes

Secrets can be mounted as files using the following sample manifests.

To create a secret, the following manifest can be used

---
kind: Secret
apiVersion: v1

metadata:
  name: a-nice-name
  namespace: your-authelia-namespace

data:
  duo_key: >-
    UXE1WmM4S0pldnl6eHRwQ3psTGpDbFplOXFueUVyWEZhYjE0Z01IRHN0RT0K    
  
  jwt_secret: >-
    anotherBase64EncodedSecret    

...

where UXE1WmM4S0pldnl6eHRwQ3psTGpDbFplOXFueUVyWEZhYjE0Z01IRHN0RT0K is Base64 encoded for Qq5Zc8KJevyzxtpCzlLjClZe9qnyErXFab14gMHDstE, the actual content of the secret. You can generate these contents with

LENGTH=64
tr -cd '[:alnum:]' < /dev/urandom \
  | fold -w "${LENGTH}"           \
  | head -n 1                     \
  | tr -d '\n'                    \
  | tee actualSecretContent.txt   \
  | base64 --wrap 0               \
  ; echo

which writes the secret's content to the actualSecretContent.txt file and print the Base64 encoded version on stdout. ${LENGTH} is the length in characters of the secret content generated by this pipe. If you don't want the contents to be written to actualSecretContent.txt, just delete the line with the tee command.

Kustomization

  • Filename: ./kustomization.yaml
  • Command: kubectl apply -k
  • Notes: this kustomization expects the Authelia configuration.yml in the same directory. You will need to edit the kustomization.yaml with your desired secrets after the equal signs. If you change the value before the equal sign you'll have to adjust the volumes section of the daemonset template (or deployment template if you're using it).
#filename: ./kustomization.yaml
generatorOptions:
  disableNameSuffixHash: true
  labels:
    type: generated
    app: authelia
configMapGenerator:
  - name: authelia
    files:
      - configuration.yml
secretGenerator:
  - name: authelia
    literals:
      - jwt_secret=myverysecuresecret
      - session_secret=mysessionsecret
      - redis_password=myredispassword
      - sql_password=mysqlpassword
      - ldap_password=myldappassword
      - duo_secret=myduosecretkey
      - smtp_password=mysmtppassword

DaemonSet

  • Filename: ./daemonset.yaml
  • Command: kubectl apply -f ./daemonset.yaml
  • Notes: assumes Kubernetes API 1.16 or greater
#filename: daemonset.yaml
#command: kubectl apply -f daemonset.yaml
#notes: assumes kubernetes api 1.16+
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: authelia
  namespace: authelia
  labels:
    app: authelia
spec:
  selector:
    matchLabels:
      app: authelia
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: authelia
    spec:
      containers:
        - name: authelia
          image: authelia/authelia:latest
          imagePullPolicy: IfNotPresent
          env:
            - name: AUTHELIA_JWT_SECRET_FILE
              value: /app/secrets/jwt
            - name: AUTHELIA_DUO_API_SECRET_KEY_FILE
              value: /app/secrets/duo
            - name: AUTHELIA_SESSION_SECRET_FILE
              value: /app/secrets/session
            - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
              value: /app/secrets/ldap_password
            - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
              value: /app/secrets/smtp_password
            - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
              value: /app/secrets/sql_password
            - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
              value: /app/secrets/redis_password
            - name: TZ
              value: America/Toronto
          ports:
            - name: authelia-port
              containerPort: 9091
          startupProbe:
            httpGet:
              path: /api/state
              port: authelia-port
            initialDelaySeconds: 15
            timeoutSeconds: 5
            periodSeconds: 5
            failureThreshold: 4
          livenessProbe:
            httpGet:
              path: /api/state
              port: authelia-port
            initialDelaySeconds: 60
            timeoutSeconds: 5
            periodSeconds: 30
            failureThreshold: 2
          readinessProbe:
            httpGet:
              path: /api/state
              port: authelia-port
            initialDelaySeconds: 15
            timeoutSeconds: 5
            periodSeconds: 5
            failureThreshold: 5
          volumeMounts:
            - mountPath: /config
              name: config-volume
            - mountPath: /app/secrets
              name: secrets
              readOnly: true
      volumes:
        - name: config-volume
          configMap:
            name: authelia
            items:
              - key: configuration.yml
                path: configuration.yml
        - name: secrets
          secret:
            secretName: authelia
            items:
              - key: jwt_secret
                path: jwt
              - key: duo_secret
                path: duo
              - key: session_secret
                path: session
              - key: redis_password
                path: redis_password
              - key: sql_password
                path: sql_password
              - key: ldap_password
                path: ldap_password
              - key: smtp_password
                path: smtp_password