Performing Operations on C3 AI Vault

The C3 AI Vault is a secured digital storage mechanism to protect sensitive information such as encryption keys, API tokens, credentials, and certificates stored in the FileSystem and should be encrypted. This guide provides Cluster Admins with detailed procedures for the encryption, re-encryption, and decryption of the C3 AI Vault.

Copy link to this section

Key terminology

• C3 Vault: An integral component within a file system designed to securely store sensitive data such as keys, API tokens, and credentials. The security of a C3 AI Vault is paramount as it acts as a central repository for critical and confidential information, which if compromised, could result in significant security breaches.

• Encryption: A fundamental security process that uses algorithms to transform readable data into a coded form that can only be accessed or decrypted by those who have the encryption key. In the context of the C3 AI Vault, encryption ensures that if the data storage is accessed by users who are not authorized, the information remains unreadable and secure.

• Key Rotation: The process of retiring an old encryption key and replacing it with a new key. Regular key rotation is a security best practice that reduces the risk of key compromise and limits the amount of data encrypted with a single key, thereby minimizing the impact of a potential breach.

• Cluster Admin: A user with the highest level of control over the computing cluster who can make global changes, including security configurations. The Cluster Admin role is critical for maintaining the integrity and security of the C3 AI Vault.

• Secret: Any piece of confidential information that requires safeguarding, such as passwords, tokens, and encryption keys. Protection of secrets is vital to prevent unauthorized access and maintain system integrity.

• Hibernate: This refers to the process of temporarily shutting down or suspending applications or environments within a cluster. During the hibernation state, no operations can be performed on the applications, making it a suitable time to conduct system maintenance or updates without disrupting active processes.

Copy link to this section

Prerequisites

To embark on managing C3 AI Vault encryption, these conditions must be met:

1. You can obtain a new encryption key using on of the following command in the C3 AI console:

   JavaScript

   Copy code to clipboard

   var generatedKey = SecretKey.generateKey(1, 256);
   var encodedKey = Base64.encode(generatedKey.key);

   The above code snippet generates a new secret 256 bit key that is valid for 1 day. The key should be of sufficient complexity to prevent deciphering by unauthorized entities.

2. Store a duplicate of the key in a secure location, as loss of the key could render the encrypted data irretrievable.

3. Plan for a period of inactivity within the cluster by hibernating all environments and applications, except for c3/c3, to prevent any operational interference during the encryption process.

   • For clusters in their inception stage, initiate encryption ahead of any environment or application deployment.

4. Confirm that you have the necessary Cluster Admin rights to perform these operations.

Copy link to this section

Encryption management procedures

To administer the C3 AI Vault encryption, adhere to these guidelines:

1. Ensure all prerequisites are in place and validated.

2. Utilizing the c3/c3 static console, and with the Cluster Admin capabilities, execute the suitable command using the VaultEncrypter Type:

   • Enable encryption: Safeguard all existing secrets by running:

     JavaScript

     Copy code to clipboard

     VaultEncrypter.enableVault(<secret>, true)

   • Rotate the encryption key: Update the encryption key for enhanced security with:

     JavaScript

     Copy code to clipboard

     VaultEncrypter.rotateVaultSecret(<secret>, true, <[optional] current secret override>)

   • Disable encryption: Should you need to decrypt all secrets, utilize:

     JavaScript

     Copy code to clipboard

     VaultEncrypter.disableVault(true, <[optional] current secret override>)

3. Patience is required as the system completes the command execution.

Copy link to this section

Troubleshooting scenarios

During the management of the C3 AI Vault, certain conditions may interrupt the encryption operations, preserving the pre-operation state:

1. Any instances of secrets that are not encrypted correctly or are corrupt:

   • Such issues can manifest as batch errors detailing the affected secrets. Tackle these issues by reconfiguring them or purging if unnecessary.

2. Existence of residual files in the migration directory:

   • This directory serves as a temporary storage for VaultEncrypter intermediate files during operations. Ensure it is empty prior to a retry.

3. Detection of environments or applications that are not in hibernation:

   • An early operation termination can be triggered,

Copy link to this section

Related content

• VaultEncrypter
• SecretKey
• Overview and Setup of HashiCorp Vault in the C3 Agentic AI Platform