Encryption

Encryption is automatically handled by Management Center.

Windows

First time installation environment data is set for encryption. This resulting in all underlying service will have encryption/decryption.

Linux

Encryption settings are read from /etc/systemd/system/frtfd.env

Container

Encryption is not enabled by default. This is enabled by setting environment variables:

  • FORTIFIED_SECRETS_SECRET - The secret used for encryption DO NOT SHARE THIS.

  • FORTIFIED_SECRETS_KEY_SIZE - Key size, allowed values are 128 or 256.

  • FORTIFIED_SECRETS_IMPL=localgcm

Generating a Secret Key

Key Format Requirements

  • Encoding: The key must be represented in hexadecimal format (characters 0-9 and a-f).

  • Length:

    • A 128-bit key → exactly 32 hexadecimal characters (16 bytes).

    • A 256-bit key → exactly 64 hexadecimal characters (32 bytes).

  • Case Sensitivity: Hexadecimal characters may be in lowercase or uppercase, but lowercase is recommended for consistency.

  • Character Set: No spaces, line breaks, or additional characters are allowed — the key must be a continuous hex string.

  • Entropy: Keys must be generated using a cryptographically secure random number generator (CSPRNG), not predictable sources.

Using OpenSSL

The openssl rand command generates cryptographically secure random bytes.

When the -hex flag is used, the output is represented in hexadecimal format.

The number following -hex specifies the number of bytes to generate.

Since each byte is represented by two hexadecimal characters:

  • openssl rand -hex 16 → 16 bytes (32 hex characters, 128-bit key)

  • openssl rand -hex 32 → 32 bytes (64 hex characters, 256-bit key)

Examples:

# Generate a 128-bit (16 bytes) key
openssl rand -hex 16

# Generate a 256-bit (32 bytes) key
openssl rand -hex 32

Using PowerShell

In PowerShell, you can use the .NET System.Security.Cryptography.RandomNumberGenerator class to produce the same cryptographically secure random data.

Examples:

# Generate a 128-bit (16 bytes) key
[byte[]]$bytes = New-Object byte[] 16
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""

# Generate a 256-bit (32 bytes) key
[byte[]]$bytes = New-Object byte[] 32
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""