Create and use an encrypted configuration file - - Alibaba Cloud Documentation Center

Serverless App Engine (SAE) allows you to create encrypted configuration files to ensure the security of sensitive data in your configurations, such as data sources, tokens, usernames, and passwords. This helps reduce the risk of configuration leaks. This topic describes how to create and use an encrypted configuration file in the SAE console.

Prerequisites

Application Configuration Management (ACM) is activated. For more information, see Migrate applications from Application Configuration Management to MSE Nacos instances.
Key Management Service (KMS) is activated. For more information, see Purchase a dedicated KMS instance.

Note Application Configuration Management (ACM) that is supported by SAE is discontinued. This does not affect the distributed configuration management feature of SAE. We recommend that you use MSE Nacos 2.0 to manage configurations. For more information, see Edition features.

Background information

To use the encryption and decryption feature, you must use the AccessKey pair of an Alibaba Cloud account or a RAM user. You cannot use the AccessKey pair of ACM. SAE provides the following encryption methods:

KMS encryption: The size of a configuration file cannot exceed 6 KB.
KMS AES-128 encryption: The size of a configuration file can exceed 6 KB. We recommend that you do not specify a configuration file that exceeds 10 KB in size. The maximum size of a configuration file can be 100 KB. The configuration file content in plaintext is not transmitted to KMS. To ensure higher security, we recommend that you use the KMS AES-256 encryption method.

Create an encrypted configuration file

Log on to the SAE console.
In the left-side navigation pane, choose Distributed Configuration Management > Configurations.
In the top navigation bar, select a region.
On the Configurations page, select a namespace and click Create Configuration.

In the Create configuration panel, configure basic settings for the configuration file, turn on Data encryption, select an encryption method, and then click Create.

For more information about how to configure basic settings for a configuration file, see Manage configurations.

The following table describes the data encryption methods.

Parameter	Description
KMS encryption	If you select this option, KMS is directly called to encrypt and decrypt the configuration file. We recommend that you specify a configuration file whose size is smaller than or equal to 4 KB. The maximum size of the configuration file can be 6 KB. If the configuration file contains special characters such as ampersands (&), decryption errors may occur. We recommend that you do not select this option.
KMS AES-128 encryption	If you select this option, the envelope encryption and decryption method of KMS is used. The size of the configuration file that you want to encrypt or decrypt can exceed 6 KB but cannot exceed 100 KB. The configuration file content in plaintext is not transmitted to KMS. To ensure higher security, we recommend that you use the KMS AES-256 encryption method.

Important

The first time you use the data encryption feature, you must activate KMS and authorize ACM to use KMS to encrypt and decrypt your configuration data. The data encryption feature of ACM relies on KMS to encrypt your configuration data.
To facilitate configuration management, SAE displays your configuration data in plaintext in the console. The actual configuration data is encrypted.

Use an encrypted configuration file

To obtain the initialization parameter values that are required for data encryption in the console, such as the AccessKey ID and AccessKey secret, perform the following steps:

Log on to the SAE console.
In the left-side navigation pane, choose Distributed Configuration Management > Configurations.
In the top navigation bar, select a region.
On the Configurations page, select a namespace and view the required parameters.
- Obtain the AccessKey ID and AccessKey secret
  Click View specific procedure to obtain the initialization parameter values, such as the AccessKey ID and AccessKey secret.
  Note You can use the AccessKey ID and AccessKey secret of your Alibaba Cloud account to obtain configuration data. We recommend that you use the AccessKey ID and AccessKey secret of a RAM user. Before you use the AccessKey ID and AccessKey secret of a RAM user, you must grant the AliyunACMFullAccess and AliyunKMSCryptoAccess permissions to the RAM user. For more information, see Grant permissions to a RAM user.
- View sample code
  1. Select a configuration file and click the data ID of the configuration file.
  2. On the Configuration Details page, click the Sample code tab and select a programming language to obtain sample code.
  Note The SDKs for Java and Python are integrated with KMS SDKs. You can add a decryption filter to automatically decrypt data. For information about the decryption methods provided by other programming languages, see Decrypt.