Secret usage with backup and restore

asbackup and asrestore support retrieving values from the Aerospike Secret Agent. This makes it possible to use sensitive information like TLS certificates and passwords as arguments without storing them on the same machine as asbackup and asrestore.

To use secrets as arguments, the Secret Agent must be running and accessible by asbackup and asrestore. Use the following options to connect to the Secret Agent.

Secret Agent options

asbackup and asrestore both support the same Secret Agent-related options.

Option	Default	Description
--sa-address=HOST[:PORT]	127.0.0.1	Secret Agent’s hostname or IP address to connect to.
--sa-port=PORT	3005	Port to connect to the Secret Agent.
--sa-timeout=MS	1000	Timeout used when connecting to and requesting secrets from the Secret Agent.
--sa-cafile=TLS_CAPATH		Path to a trusted CA certificate file in PEM format. Used when authenticating with the Secret Agent. This option enables TLS for all connections with the Secret Agent.

Secrets as arguments

asbackup and asrestore support using secrets for most of their arguments. Exceptions include the arguments for the Secret Agent itself, and arguments that specify configuration files such as --only-config-file.

The format for using a secret as an argument is secrets[:<RESOURCE_NAME>]:<SECRET_KEY>. See the Aerospike Secret Agent documentation for information about resource names, secret names, and how to set up the Secret Agent service.

Note

• Values stored in the Secret Agent must be Base64 encoded. asbackup and asrestore decode them upon receipt.
• Some arguments, like --tls-cafile, normally expect a file path. When used as secrets, the data returned by the Secret Agent is used literally and not resolved as a file path.

Using secrets from Secret Agent

This example uses the secret pass from Secret Agent resource resource1 as the asbackup password argument.

asbackup --sa-address 127.0.0.1:3005 --password secrets:resource1:pass -n test --output-file -

Using secrets from a configuration file

You can use secrets from an Aerospike tools configuration file. The following example configuration file:

• connects asbackup and asrestore to the Secret Agent at secretagent:3006 using TLS and the certificate at path/to/cacert.pem
• then connects to Aerospike Database using TLS and the certificate from the Secret Agent at resource “resource1” and secret “aerospike_cafile”.

[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
sa-cafile = "path/to/cacert.pem"
[asbackup]
tls-enable = true
tls-cafile = "secrets:resource1:aerospike_cafile"
[asrestore]
tls-enable = true
tls-cafile = "secrets:resource1:aerospike_cafile"

The following configuration file causes asbackup and asrestore to get the Aerospike host from the Secret Agent.

[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
[cluster]
host = "secrets:resource1:aerospike_host"

The following example configures asbackup to encrypt backup data using an encryption key from the Secret Agent.

[secret-agent]
sa-address = "secretagent"
sa-port = "3006"
[asbackup]
encrypt = "aes256"
encryption-key-file = secrets:resource1:encrypt_key