aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: Add bsr key to requirements (#3330)

Browse Source 
* docs: Add bsr key to requirements

* docs: Rewrite for clarity

* docs: Add bsr key definition to security page
pull/3333/head
Dan Heath 3 years ago committed by GitHub
parent 5f2f6ca6ca
commit 8acc73dc6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File

5
website/content/docs/concepts/security/data-encryption.mdx
Unescape View File

@ -105,6 +105,11 @@ $ boundary scopes list-key-version-destruction-jobs -scope-id p_A4jfDjZ9jf
Once the job disappears from this list, the associated key version will have
been destroyed and any existing data will have been re-encrypted.
## The `bsr` KMS key <sup>HCP/ENT</sup>
The `bsr` KMS key is required for [session recording](/boundary/docs/configuration/session-recording).
If you do not add a `bsr` key to your controller configuration, you will receive an error when you attempt to enable session recording.
The key is used for encrypting data and checking the integrity of recordings.
## The `previous-root` KMS key <sup>OSS Only</sup>
The `previous-root` KMS key is used when migrating to a new `root` key. Adding

5
website/content/docs/configuration/session-recording/enable-session-recording.mdx
Unescape View File

@ -13,8 +13,11 @@ You use the storage bucket's ID to associate a target with the storage bucket.
**Requirements**:
- One or more storage buckets to store the recordings
- One or more storage buckets to store the recordings.
- Session recording is only supported for SSH targets at this time.
- A KMS key with the purpose `bsr` must be added to the controller configuration.
The key is used for encrypting data and checking the integrity of recordings.
Refer to [Create the controller configuration](/boundary/docs/install-boundary/configure-controllers#create-the-controller-configuration) for more information about configuring a KMS block.
- The targets must be configured with an ingress or egress worker filter that includes a worker with access to the storage bucket you created.
Refer to [SSH target attributes](/boundary/docs/concepts/docmain-model/targets#ssh-target-attributes-hcp-ent) for more information.
- You must enable injected application credentials on any target that you want to use for session recording.

Write Preview
Loading…
Cancel
Save