docs(workers): add documentation for pki worker cred encryption (#2397)

* docs(workers): add documentation for pki worker cred encryption
4 years ago · 547e7a5970
parent 1cb287bdbe
commit 547e7a5970
1 changed files with 22 additions and 0 deletions
--- a/website/content/docs/configuration/worker/pki-worker.mdx
+++ b/website/content/docs/configuration/worker/pki-worker.mdx
@ -22,6 +22,19 @@ worker {
 }
 ```

+## KMS Configuration
+PKI Workers credentials can be encrypted by including an optional KMS stanza with the purpose `worker-auth-storage`.
+
+Example (not safe for production!):
+```hcl
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+```
+
 ~> **Note:** `name` and `description` fields are not valid config fields for PKI
 workers. These fields are only valid for [KMS Workers][]. `name` and
 `description` can only be set for PKI workers through the API.
@ -54,6 +67,15 @@ worker {
  }
 }

+# The following KMS config is an example only
+# Use a production KMS such as AWS KMS for production installs
+kms "aead" {
+  purpose = "worker-auth-storage"
+	aead_type = "aes-gcm"
+	key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+	key_id = "worker-auth-storage"
+}
+

 ```
 [kms workers]: /docs/configuration/worker/kms-worker