A newer version of this documentation is available.

View Latest

Manage System Secrets

    +
    System secrets can be managed with a special degree of security.

    Understanding System Secrets

    Secret-Management (which is an Enterprise Edition feature of Couchbase Server) allows system secrets to be written to disk in encrypted format. Secrets are Couchbase Server-defined, and include system-essential passwords and certificates. Couchbase uses an AES 256-bit algorithm in GCM mode, to encrypt secrets using an encryption hierarchy.

    Setting the Master Password

    Secret-Management is an optional feature that only works when the master password is set for each Couchbase Server node. This can be specified by means of the master-password CLI command; the REST API POST /node/controller/changeMasterPassword method; and (on all supported operating systems other than Mac OS X) by explicitly setting the CB_MASTER_PASSWORD environment variable, at the command-prompt.

    Note that since the CB_MASTER_PASSWORD does not work with Couchbase Server on Mac OS X, Mac developers should open the /Applications/Couchbase Server.app/Contents/Resources/start-server.sh script, and add the export variable to that file.

    When you specify the master password, Couchbase Server derives a master key from that password, using the strong Key Derivation Function PBKDF2. Couchbase Server also creates a random data key, which is then encrypted with the master key. The data key will be used to encrypt all secrets on disk, using an AES 256-bit algorithm, in GCM mode. To bootstrap the system, the master key is used to open the encrypted data key; the data key is then used to open the encrypted secrets; and the secrets are then used to start Couchbase Server.

    If you establish the master password by setting the environment variable for the current node while Couchbase Server is running, Couchbase Server performs encryption on secrets from that point. However, by default, the decryption of secrets relies on Couchbase Server having read the environment variable on startup. Therefore, if Couchbase Server has already been started as a service at the time you set the environment variable, you must explicitly make the newly established variable available to the service. If Couchbase Server has already been started as a script, you must use the export command, to make it available to the script.

    At start-up, Couchbase Server waits for the master password to be entered at the prompt. Enter the password by means of the master-password CLI command, with the --send-password option:

    couchbase-cli master-password --send-password
    • This CLI command needs to be run on the same host on which Couchbase Server is running.

    • The user running the command needs to have read access to the couchbase group.

    • You have three attempts to enter the password correctly. If the password is not entered correctly after 3 attempts, the server will need to be restarted before you can try again.

    Performing Rotation

    The Couchbase Server Secret-Management system allows you to rotate (periodically change, to reduce the risk of illicit discovery or deciphering) the different elements of the system:

    • Master-password rotation: This first level of rotation is achieved by setting a new password, using the CLI command, the REST API method, or (other than on Mac OS X) the environment variable, as indicated above. One master password per node needs to be set.

    • Data-key rotation: This second level of rotation is achieved by changing the data-key, using the CLI command with the --rotate-data-key option, or the REST API POST /node/controller/rotateDataKey method.

    • Secret rotation: This third level of rotation is achieved by changing the values of the secrets themselves. For example, to reset the secret that is an administrator password, use the couchbase-cli reset-admin-password command.

    Note that if the auditing option is enabled, all rotation-requests are audited by Couchbase Server.