Log Encryption Guide

If you choose to set up log encryption (under Settings / Log Encryption & Storage) the logs, queries, and sessions recorded by strongDM will be encrypted, either on strongDM, on the individual relay, or both. This guide describes how to set up and use public-key encryption with strongDM.

Note: To learn more about logging in general, visit the Getting Started with Logging guide.

Setting up a public/private keypair

Run the following commands at a Linux or Mac command line to generate the private and public keys.

$ openssl genrsa -out private.key 4096 This will generate a private key in the specified location (private.key). Next you need to extract the public key, which will be shared with strongDM to encrypt logs and other data. $ openssl rsa -pubout -in private.key -out public.pem If you look at public.pem you should see text similar to the following:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyfST3A2ayVY9NVEoYk88
wA73JQEieNML0yS4gGXuTnvoPwijXh2Ez/eDbtg2u9+R1iz9kxE2LOfQB9OH2qzo
omlt7ua1IHGRQS+tGWeoA5Im4tRZOcS3w28uOnepy2ofoc+MtwpXyuY7ch4s+fUD
slcUY+BLhCWJpqp2cIgqivcVjcwNaF+nonqKzPpfqquke3u4bno3Urcq9qIHEb+H
ebomt96nFqwXqOyZrr8kvhckuKHZzBAdQiTocAhjvAxmzl+NzDanE3VAnLIZgapH
NawjUiiSBo6Ox2d65qtv+lg7dh3zq7iSgmm4ljeYjlXdASz6OW8EfCyltX3Vuc4W
GGUMtjEVxD6jKmheKHvbIig9NiewpgxFXQUznM70PguByWw5GPkt/jj5WWPx2X1Z
ab3J2JKqoWoOEvtR9aje1MKasZVD47CQKRE+MYN3J2I3mhsXNt/9dZTz/VLtRTUa
pMexP7N/i7wPhbsIgFyqqCqWgEZ+qgWJ+Yl13aI20GfFrUwTdh34o4t6LboCWs9e
Pn9ntRIxbaC448DDBylxnxyZUCE5eK8QBQfY72yLwnLHLztjJeLy4l7wv5fZwDlz
9HasFk0H8cZkNU3UZMjezYv0tYcaN8ko31TD2uLcquc/lylIWGlE0W4oXbOFcIvt
FRpBqdDfjdHwUVhJIfy8DkECAwEAAQ==
-----END PUBLIC KEY-----

You will copy and paste this data into the strongDM web UI when you turn on encryption at the strongDM and/or relay level.

Store your private key (private.key by default) in a safe place. If you lose this key you will be unable to decrypt your logs, queries, and sessions.

Log Destinations

There are two places you can enable log encryption: the strongDM web portal and the local relay level. Either or both can be protected with the public key you just set up.

strongDM

When logging is enabled to the strongDM servers, queries and server sessions are visible for viewing and replay from the web portal and can also be accessed via the strongDM CLI interface. If you turn on strongDM encryption, however, queries and sessions will not be directly visible in the web portal. You will still be able to access them via the CLI, however. To learn how to do so, take a look at Using strongDM Logs.

To turn on strongDM server log encryption, ensure that Store with strongDM? is set to Yes and Remote encryption is set to Public key.

Enabling strongDM server log encryption

At this point, a text box will appear at the bottom of the page where you can paste in the public key you already created. Copy and paste the entire contents of this file into the text box, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.

Note: If you have already set up relay encryption, this box will already contain a public key. Relay and server encryption use the same key.

Entering the public key

Finally, click on the update button. You will receive a confirmation notice before the changes take effect.

"Encryption change confirmation"

Warning: When you click save & restart, this will restart all of your existing relays. Only go ahead with the change if you are ready for a brief service interruption with datasources only accessible via relay.

Relay

By default, logging is enabled only to strongDM servers. By turning on relay logging, you will have logs located on the individual relays for your organizations, if any. Enabling public key encryption for relay logging will encrypt these logs so they cannot be viewed without the private key. To learn how to review encrypted relay logs, visit Using Relay Logs.

To turn on relay encryption, ensure that Log locally on relays? is set to Yes and Local encryption? is set to Public key.

Enabling relay log encryption

At this point, a text box will appear at the bottom of the page where you can paste in the public key you already created. Copy and paste the entire contents of this file into the text box, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.

Note: If you have already set up server encryption, this box will already contain a public key. Relay and server encryption use the same key.

Entering the public key

Finally, click on the update button. You will receive a confirmation notice before the changes take effect.

Encryption change confirmation

Warning: When you click save & restart, this will restart all of your existing relays. Only go ahead with the change if you are ready for a brief service interruption with datasources only accessible via relay.