diff options
author | Alex Auvolat <alex@adnab.me> | 2023-06-14 12:51:47 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2023-06-14 12:51:47 +0200 |
commit | 9092c71a01311f8f7174fa03facdb4d95a7b1389 (patch) | |
tree | 62e8bf6e275ce045e29baf7a660706899e54ed8e /doc/book/cookbook | |
parent | 120f8b3bfb61d1f38290207ac67933263cb57eeb (diff) | |
download | garage-9092c71a01311f8f7174fa03facdb4d95a7b1389.tar.gz garage-9092c71a01311f8f7174fa03facdb4d95a7b1389.zip |
doc: encryption organization
Diffstat (limited to 'doc/book/cookbook')
-rw-r--r-- | doc/book/cookbook/encryption.md | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/doc/book/cookbook/encryption.md b/doc/book/cookbook/encryption.md index 156c54e8..8d45a0ee 100644 --- a/doc/book/cookbook/encryption.md +++ b/doc/book/cookbook/encryption.md @@ -49,14 +49,9 @@ implements a protocol that has been clearly reviewed, Secure ScuttleButt's Secret Handshake protocol. This is why setting a `rpc_secret` is mandatory, and that's also why your nodes have super long identifiers. -## Encrypting traffic between a Garage node and your client +## HTTP API endpoints provided by Garage are in clear text -HTTP API endpoints provided by Garage are in clear text. -You have multiple options to have encryption between your client and a node: - - - Setup a reverse proxy with TLS / ACME / Let's encrypt - - Setup a Garage gateway locally, and only contact the garage daemon on `localhost` - - Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard +Adding TLS support built into Garage is not currently planned. ## Garage stores data in plain text on the filesystem @@ -76,6 +71,14 @@ system such as Hashicorp Vault? # Adding data encryption using external tools +## Encrypting traffic between a Garage node and your client + +You have multiple options to have encryption between your client and a node: + + - Setup a reverse proxy with TLS / ACME / Let's encrypt + - Setup a Garage gateway locally, and only contact the garage daemon on `localhost` + - Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard + ## Encrypting data at rest Protects against the following threats: |