Hi,
We extract boundary logs with sink configuration and set “encrypt” option on audit config log. But do you know how we can decrypt this logs ? And if it’s possible ?
Hi there,
It’s currently possible with the knowledge to write a bit of Go code – you’d have to connect to the DB, pull out the encryption KEK, use it to decrypt the DEK, then use that to decrypt values for a scope. We do intend to find a way to make this easier in the future while still ensuring that there is appropriate access control, whether via the API or CLI.
1 Like
Thanks for this reply
@jeff are there any changes with procedure of decryption of sensitive values in audit logs in the current version?
I’ll explain my case:
I have a setup with mysql cred generated by vault database engine using vault credentials library. Thats why I need to have response.detail.item.credentials.secret.decoded.username field of audit logs in cleartext, while password must remain redacted/hashed/encrypted. Because I need to use generated username for analysis of mysql audit logs
I don’t see any possibility to achieve this via config options, thats why I thought about decryption of encrypted values, maybe you could advice a better way, thanks
Going to tag @jimlambrt as the person that would have the best idea. You can override the behavior of sensitive/secret fields but I believe that affects all such fields. However, if you create a sink specifically for these events using Controller/worker - events - common sink parameters | Boundary | HashiCorp Developer then that may work.
The config for a sink applies to the entire sink. There’s no way to just decrypt one sensitive/secret field.
I would create a sink specifically for this purpose with the appropriate config and limit access to the sink.