3.4.7.1 Generate a Kubernetes Secret for an Encryption Key

To support asynchronous calls, MicroTx stores the authorization and refresh tokens. To store the tokens, encrypt them as you can't store the tokens directly. To encrypt the tokens, create encryption keys.

MicroTx encrypts the tokens using the encryption keys that you provide. When there is an asynchronous call from MicroTx to participant services, MicroTx fetches the encrypted token, decrypts it, and then attaches the token to the authorization header.

You must generate an encryption key, and then add the key to a Docker secret if you have enabled the authTokenPropagationEnabled property under authorization. The encryption key that you generate must have the following attributes.

• Symmetric algorithm: AES-256
• Cipher mode: AES in GCM mode
• Key length: 32 bytes
• Length of initialization vectors: 96 bits

MicroTx encrypts the access and refresh tokens, and then uses it later while making calls to participant services. For each transaction, MicroTx generates a new value for the initialization vectors. Each transaction record contains the encrypted metadata information, such as key version and initialization vector value.

Generate a Kubernetes Secret for an Encryption Key for MicroTx Workflows

1. Run the following command to generate an encryption key, that is 32-bytes long.

   openssl rand -hex 32 > encryption.key

   This creates an encryption key file named encryption.key.

2. Use the encryption key file to create a Kubernetes secret. You must create this secret in the namespace where you want to install MicroTx Workflows. The following sample command creates a Kubernetes secret with the name encryption-secret-key1 in the otmm namespace.

   kubectl create secret generic encryption-secret --from-file=encryption.key -n otmm

3. Note down the name of the Kubernetes secret and the file name stored in the secret. You will provide these values for the secretName and fileName fields under workflow.server.encryption in the values.yaml file.

Generate a Kubernetes Secret for an Encryption Key for MicroTx Distributed Transactions

1. Run the following command to generate an encryption key with a key length of 32 bytes.

   openssl rand -hex 16

   Note down the value that is generated. For example, e9f0adab17c0180425147166c2ff1cd3.
2. Create a Kubernetes secret while using the encrypted key that you have generated as the value. You must create this secret in the namespace where you want to install MicroTx.

   The following sample command creates a Kubernetes secret with the name encryption-secret-key1 in the otmm namespace.

   kubectl create secret generic encryption-secret-key1 \ --from-literal=secret='e9f0adab17c0180425147166c2ff1cd3' -n otmm

3. Note down the name of the Kubernetes secret and its version. You will provide these values for the secretKeyName and version fields in the values.yaml file.

   The following code snippet provides sample values for the encryption field in the values.yaml file. The sample values in this example are based on the values used in the sample commands in this topic.

   encryption:
     encryptionSecretKeyVersion: "1"
     encryptionSecretKeys:
         - secretKeyName: "encryption-secret-key0"
           version: "0"
         - secretKeyName: " encryption-secret-key1"
           version: "1"