Encryption
Encryption is automatically handled by Management Center.
Windows
First time installation environment data is set for encryption. This resulting in all underlying service will have encryption/decryption.
Linux
Encryption settings are read from /etc/systemd/system/frtfd.env
Container
Encryption is not enabled by default. This is enabled by setting environment variables:
FORTIFIED_SECRETS_SECRET - The secret used for encryption DO NOT SHARE THIS.
FORTIFIED_SECRETS_KEY_SIZE - Key size, allowed values are 128 or 256.
FORTIFIED_SECRETS_IMPL=localgcm
Generating a Secret Key
Key Format Requirements
Encoding: The key must be represented in hexadecimal format (characters 0-9 and a-f).
Length:
A 128-bit key → exactly 32 hexadecimal characters (16 bytes).
A 256-bit key → exactly 64 hexadecimal characters (32 bytes).
Case Sensitivity: Hexadecimal characters may be in lowercase or uppercase, but lowercase is recommended for consistency.
Character Set: No spaces, line breaks, or additional characters are allowed — the key must be a continuous hex string.
Entropy: Keys must be generated using a cryptographically secure random number generator (CSPRNG), not predictable sources.
Using OpenSSL
The openssl rand command generates cryptographically secure random bytes.
When the -hex flag is used, the output is represented in hexadecimal format.
The number following -hex specifies the number of bytes to generate.
Since each byte is represented by two hexadecimal characters:
openssl rand -hex 16 → 16 bytes (32 hex characters, 128-bit key)
openssl rand -hex 32 → 32 bytes (64 hex characters, 256-bit key)
Examples:
# Generate a 128-bit (16 bytes) key
openssl rand -hex 16
# Generate a 256-bit (32 bytes) key
openssl rand -hex 32
Using PowerShell
In PowerShell, you can use the .NET System.Security.Cryptography.RandomNumberGenerator class to produce the same cryptographically secure random data.
Examples:
# Generate a 128-bit (16 bytes) key
[byte[]]$bytes = New-Object byte[] 16
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""
# Generate a 256-bit (32 bytes) key
[byte[]]$bytes = New-Object byte[] 32
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""
Do not change encryption settings once set. This may cause faulty behaviour.