Data encryption

You are currently viewing version 1.1 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

By default, the following data is storedencrypted in the hybrid runtime plane:

  • Key management system (KMS) data
  • Key-value map (KVM) data
  • Cache data

Data encryption does not require any special configuration on your part. However, if for some reason you want to use your own encryption keys (replacing the default ones) you can do so, as explained in this topic.

Encryption key scope

Encryption keys for KMS, KVM, and cache have scope. For example, KMS keys haveorganization scope. This means that the key is used to encrypt KMS data for the entire organization. The following table lists the scope for each type of key:

Encryption keyScope
KMS Organization only
KVM Organization or environment

If aKVM policy specifiesapiproxy orpolicy (API proxy revision) scope, the organizationlevel key is used to encrypt the data. For a general overview of how KVMs are used in Apigee Edge, seeWorking with key-value maps.

Cache Environment only

About the default encryption keys

By default, Apigee hybrid provides a set of Base64-encoded keys that are used to encrypt KVM, KMS, and cache data. The Apigee hybrid installer stores the keys in the runtime plane asKubernetes Secrets, and uses them to encrypt your data with AES-128 standard encryption. The keys are under your control; the hybrid management plane is never aware of them at any time.

The default keys will work for most use cases. If you want to change the default encryption keys, do so when you initially install Apigee hybrid into a new cluster. You cannot later change the encryption keys once the runtime data is encrypted.

Changing the default encryption keys

Although not required, you can change any of the default encryption keys if you wish. To replace one or more default keys, follow these steps:

  1. Copy the following stanzas into your overrides file. This configuration lets you change the KMS and KVM encryption keys for the organization level and the KVM and cache encryption keys for the environment level:
    defaults:  org:    kmsEncryptionKey:base64-encoded-key    kvmEncryptionKey:base64-encoded-key  env:    kvmEncryptionKey:base64-encoded-key    cacheEncryptionKey:base64-encoded-key
  2. Generate a new key for each key you wish to replace. Each key must be a Base64-encoded string that is exactly16, 24, or 32 bytes long. See alsoHow to create an encoded key.
  3. Replace the default keys with new ones. In this example, all of the default keys are replaced with keys:
    defaults:  org:    kmsEncryptionKey: "JVpTb1FwI0otUHo2RUdRN3pnVyQqVGlMSEFAJXYmb1c="    kvmEncryptionKey: "T3VkRGM1U3cpOFgtNk9fMnNZU2NaSVA3I1BtZWxkaUU="  env:    kvmEncryptionKey: "Q3h6M3R6OWdBeipxTURfKjQwQVdtTng2dU5mODFHcyE="    cacheEncryptionKey: "b2NTVXdKKjBzN0NORF9XSm9tWFlYKGJ6NUhpNystJVI="
  4. Apply the overrides file to your cluster.

A note about backward compatibility

If you were to remove the encryption keys in your overrides file the first time you install Apigee hybrid, you would effectively disable encryption and values would be stored unencrypted. If at a later time you enable encryption by providing keys, exiting data remains unencrypted; however, any future data that is added will be encrypted. The system will continue working normally with the unencrypted data and the new encrypted data.

Also, note that you cannot later change the encryption keys once the runtime data is encrypted.

How to create an encoded key

NOTE: You must generate your key from ASCII characters. Apigee hybriddoes not support using non-printable characters, such as characters generated using theopenssl random command.

A properly formatted Base-64-encoded key is required for KVM, KMS, and cache encryption. The key used for any of these purposes must be Base-64 encoded from a string that is 16, 24, or 32 bytes long, as explained in the following steps:

The key string length requirement exists because theAdvanced Encryption Standard (AES) cipher works on a block size of 128 bits, but can take three different key lengths: 128, 192, and 256 bits (16, 24, or 32 bytes).

The following example commands generate suitable, randomly generated, 32 character, Base64-encoded strings that do not include non-printable characters:

LC_ALL=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\)\\-+=< /dev/urandom | head -c 32  | openssl base64PSFvX0BPc1Z2NVklcXdxcF8xR0N4MV4temFveStITU4=

or

LC_ALL=C tr -dc "[:print:]"< /dev/urandom | head -c 32 | openssl base64

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.