You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
excerpt: Secure your Cold Stored logs by encrypting them with your PGP public key
6
8
section: Features
7
-
updated: 2023-03-07
9
+
updated: 2023-03-10
8
10
---
9
11
10
-
**Last updated 7th March, 2023**
12
+
**Last updated 10th March, 2023**
11
13
12
14
## Objective
13
15
14
-
With the [Cold Storage feature](../cold-storage){.ref} you can generate daily archives for your log streams.
16
+
With the [Cold Storage feature](../cold-storage) you can generate daily archives for your log streams.
15
17
16
-
On top of that you can secure these archives by encrypting them with one or more of your PGP public keys. Only the owner of the private keys will be able to decrypt and see the archives content.
18
+
On top of that, you can secure these archives by encrypting them with one or more of your PGP public keys. Only the owner of the private keys will be able to decrypt and see the archives content.
17
19
18
20
## Requirements
19
21
20
-
This is what you need to get you started:
22
+
This is what you need to get started:
21
23
22
-
- A stream with cold storage enabled. You can follow this [Cold Storage tutorial](../cold-storage){.ref} to set it up
23
-
- An existing PGP keypair, or a machine with the `gpg` binary to generate a new PGP keypair
24
+
- A stream with cold storage enabled. You can follow this [Cold Storage tutorial](../cold-storage) to set it up.
25
+
- An existing PGP keypair, or a machine with the `gpg` binary to generate a new PGP keypair.
24
26
25
27
## Instructions
26
28
27
29
### Get a PGP public key
28
30
29
-
First of all, you need a PGP keypair. You can use an existing keypair or create a new one. Both cases are documented bellow.
31
+
First of all, you need a PGP keypair. You can use an existing keypair or create a new one. Both cases are documented below.
30
32
The only restrictions we impose regarding this keypair are:
31
33
32
-
-use RSA 4096 or ECC with Curve 25519 as public key algorithms
34
+
-using RSA 4096 or ECC with Curve 25519 as public key algorithms
- One for `John Doe <john@doe.org>`, which fingerprint is `448940C5335D1D278788F4AF67336C97696A1BE0`, which is an EdDSA/ECDH key (`ed25519`/`cv25519`), and which don't have any expiration date
64
+
- One for `John Smith <john@smith.org>`, which fingerprint is `448940C5335D1D278788F4AF67336C97696A1BE0`, which is an EdDSA/ECDH key (`ed25519`/`cv25519`), and which doesn't have any expiration date
63
65
-**This key is usable for Cold Storage Encryption**
64
66
- One for `Robert Dupont <[email protected]>`, which fingerprint is `A742F6D3566178F008066E252BE29904DDDA4BA1`, which is an RSA 3072 key, and which expires on `2025-03-06`
65
67
-**This key is NOT usable for Cold Storage Encryption**, as it uses RSA < 4096 and has an expiration date
66
68
67
-
Once you identified a key which match our restrictions, you can export the **public** key in an ASCII armored format with the following command, using its fingerprint:
69
+
Once you identified a key which matches our restrictions, you can export the **public** key in an ASCII armored format with the following command, using its fingerprint:
68
70
69
71
```shell-session
70
-
# Replace the fingerprint bellow with the one of your key
72
+
# Replace the fingerprint below with the one of your key
### Register your PGP public key in your Logs Data Platform account
198
198
199
-
In the home page of your Logs Data Platform service, in the bottom left you will find a `Configuration` panel. In this panel, in the `PGP encryption keys` line, click on **"..."** and then `Edit`{.action}:
199
+
In the home page of your Logs Data Platform service, in the bottom left you will find a `Configuration` panel. In this panel, in the `PGP encryption keys` line, click the `...`{.action} button and then `Edit`{.action}:
200
200
201
201
{.thumbnail}
202
202
203
203
You will land on the `PGP encryption keys` page, where you can manage your keys.
204
204
It is from this page that you can add, delete, or view the details of your PGP encryption keys. You can also view there how many archives have been encrypted with a given key.
205
205
206
-
You will possibly view some keys named `LDP Recovery key <cluster name>`, that you did not add yourself. We will talk about these LDP Recovery keys later.
206
+
You will possibly view some keys named `LDP Recovery key <cluster name>`, that you did not add yourself. We will mention these LDP Recovery keys later in this documentation.
207
207
208
208
{.thumbnail}
209
209
210
-
To register your PGP public key to your Logs Data Platform account, click on the `Add a PGP encryption key`{.action} button.
211
-
You will land on a form where you have three fields to fill:
210
+
To register your PGP public key into your Logs Data Platform account, click on the `Add a PGP encryption key`{.action} button.
211
+
You will land on a form in which you have three fields to fill in:
212
212
213
-
-**Name**: it is the display name of this PGP public key inside OVHcloud systems. It can be the same as your PGP key UID (usualy`First name Last name <email>`), but it can also be something totaly different. As it's only a display name, put whatever is relevant for you
214
-
-**Fingerprint**: your PGP key fingerprint, in its 40 characters hexadecimal version. In the example above where we generated a new key, it is `E9136DAF94BD3D708C855124A7109E653C115379`
215
-
-**Content**: the ASCII armored content of your PGP **public** key. Copy paste here the full block beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending by `-----END PGP PUBLIC KEY BLOCK-----`
213
+
-**Name**: it is the display name of this PGP public key inside OVHcloud systems. It can be the same as your PGP key UID (usually`First name Last name <email>`), but it can also be something totally different. As it's only a display name, enter whatever is relevant for you.
214
+
-**Fingerprint**: your PGP key fingerprint, in its 40 characters hexadecimal version. In the example above in which we generated a new key, it is `E9136DAF94BD3D708C855124A7109E653C115379`.
215
+
-**Content**: the ASCII armored content of your PGP **public** key. Copy paste here the full block beginning with `-----BEGIN PGP PUBLIC KEY BLOCK-----` and ending by `-----END PGP PUBLIC KEY BLOCK-----`.
216
216
217
-
Even if the fingerprint can be deducted from the PGP public key content, we want you to specify both so we are 100% sure you are adding the correct key.
217
+
Even if the fingerprint can be deducted from the PGP public key content, we want you to specify both so that we are 100% sure you are adding the correct key.
218
218
219
219
{.thumbnail}
220
220
221
-
Then click on `Save`{.action}.
221
+
Then click `Save`{.action}.
222
222
223
-
If anything is wrong with your public key (unsuported algorithm, mismatch between fingerprint & key content, etc.) a precise error will be printed.
223
+
If anything is wrong with your public key (unsupported algorithm, mismatch between fingerprint & key content, etc.) an explicit error message will be printed.
224
224
225
225
### Update your stream Cold Storage configuration to use encryption
226
226
227
227
Now that you added your PGP public key to your Logs Data Platform account, you can use it in your streams cold storage configurations.
228
228
229
-
For this, go to the `Data Stream` tab, pick the stream for which you want cold storage encryption, click on **"..."**and then `Edit`{.action}.
229
+
For this, go to the `Data Stream` tab, pick the stream for which you want cold storage encryption, click the `...`{.action} button and then click`Edit`{.action}.
230
230
231
-
- Ensure the `Enable long-term storage` option is checked. You can refer to the [Cold Storage feature](../cold-storage){.ref} documentation to know about each of its fields.
231
+
- Ensure the `Enable long-term storage` option is checked. You can refer to the [Cold Storage feature](../cold-storage) documentation to know about each of its fields.
232
232
- Check the `Encrypt archives with my PGP encryption keys` option
233
233
- Select each PGP encryption key you want your archive to be encrypted with
That's it: now each archive produced by this stream will be encrypted with the selected keys (don't forget that archives are produced 2 days after logs are sends).
238
+
That's it: now each archive produced by this stream will be encrypted with the selected keys (don't forget that archives are produced 2 days after logs are sent).
239
239
240
240
> [!primary]
241
241
>
242
-
> For a given stream, you can select up to five of your encryption keys
243
-
> (the LDP Recovery Keys are not included in this five keys).
244
-
> A given encryption key can be used in several coldstorage configurations.
242
+
> For a given stream, you can select up to five of your encryption keys (the LDP Recovery Keys are not included in this five keys).
243
+
> A given encryption key can be used in several cold storage configurations.
245
244
>
246
245
247
246
### Know which key was used to encrypt which archive
248
247
249
-
In the `Data Stream` tab, you can see how many archives exist for each stream. On a stream where you have some archives, click on **"..."**and then `Archives`{.action}
248
+
In the `Data Stream` tab, you can see how many archives exist for each stream. On a stream on which you have some archives, click the`...`{.action} button and then click `Archives`{.action}.
250
249
251
250
{.thumbnail}
252
251
@@ -258,15 +257,15 @@ In this archives list, you can see a `PGP encryption keys` column.
258
257
#### Download and decrypt your archives
259
258
260
259
Once your encrypted archives are available, you can retrieve them [following this tutorial](../cold-storage/#retrieving-the-archives).
261
-
To decrypt a given archive, you can use `gpg` on a machine where your private key is present:
260
+
To decrypt a given archive, you can use `gpg` on a machine on which your private key is present:
gpg: encrypted with 4096-bit RSA key, ID 97B70793B8270D80, created 2022-05-10
269
-
"John Doe <john.doe@corp.acme.org>"
268
+
"John Doe <john.smith@corp.acme.org>"
270
269
271
270
$ ls
272
271
2022-11-15.zst 2022-11-15.zst.pgp
@@ -275,21 +274,22 @@ $ ls
275
274
### The LDP Recovery Key
276
275
277
276
Now your stream's archives are encrypted with your PGP public keys, and only the owner of the related private keys can decrypt the archives.
277
+
278
278
But what if you lose access to your private keys or to your passphrase ? In such a case, you won't be able to decrypt your archives anymore, and won't be able to see the archives content.
279
279
280
-
To avoid such a situation, we provide the `LDP Recovery Keys`. These are also PGP public keys you can use in your coldstorage configuration, but which private keys are owned by OVHcloud. Thus if you choosed to use `LDP Recovery Keys` in addition to your own keys, and you lose access to your private keys, OVHcloud teams will still be able to decrypt your archives; re-encrypt it with your new keys; and send you these re-encrypted archives.
280
+
To avoid such a situation, we provide the `LDP Recovery Keys`. These are also PGP public keys you can use in your cold storage configuration, but which private keys are owned by OVHcloud. Thus if you chose to use `LDP Recovery Keys` in addition to your own keys, and you lose access to your private keys, OVHcloud teams will still be able to decrypt your archives, re-encrypt it with your new keys and send you these re-encrypted archives.
281
281
282
-
Note that this feature is opt-in: you have to explicitly select the `LDP Recovery Key` in your stream's coldstorage configuration to benefit from this feature.
282
+
Note that this feature is opt-in: you have to explicitly select the `LDP Recovery Key` in your stream's cold storage configuration to benefit from this feature.
283
283
284
284
#### Ask OVHcloud to recover your encrypted archive
285
285
286
-
If the situation described above happens (you lost your private key, but your archive is also encrypted with the `LDP Recovery Key`), you will have to [contact OVHcloud support](https://www.ovhcloud.com/de/contact/). Open a ticket and describe precisely the name of your Logs Data Platform service, the name of the stream and the name of the archive. You will also have to provide a new PGP encryption key (a one you already added to your Logs Data Platform account).
286
+
If the situation described above happens (you lost your private key, but your archive is also encrypted with the `LDP Recovery Key`), you will have to [contact OVHcloud support](https://www.ovhcloud.com/en/contact/). Open a ticket and describe precisely the name of your Logs Data Platform service, the name of the stream and the name of the archive. You will also have to provide a new PGP encryption key (a key you already added to your Logs Data Platform account).
287
287
288
288
The Logs Data Platform team will then take care of your request.
0 commit comments