Encryption

Protecting hub.yaml.elaborate and hub.yaml.state files is critical to maintaining stack security. Written to remote storage such as AWS S3, GCP, or Azure Storage, the files are encrypted with AES-256 in GCM. The data keys currently come from one of the following implementations:

1. PBKDF2 key derivation function controlled by HUB_CRYPTO_PASSWORD environment variable. Set value to <random-password>.
2. AWS KMS data key referenced by HUB_CRYPTO_AWS_KMS_KEY_ARN. Set to arn:aws:kms:<region>:<account-no>:alias/<key-alias>.
3. Azure Key Vault key referenced by HUB_CRYPTO_AZURE_KEYVAULT_KEY_ID. Set to https://<my-kv>.vault.azure.net/keys/<my-key>/<key-version>.
4. GCP KMS keyring key name referenced by HUB_CRYPTO_GCP_KMS_KEY_NAME. Set to projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>.

In case you're using Mozilla SOPS, then cloud KMS keys are the same as for SOPS_KMS_ARN, SOPS_AZURE_KEYVAULT_URLS, or SOPS_GCP_KMS_IDS.