Secret key management and password protection
Faspex 5.0.8 and later uses secret keys and provides the option to set a password during the installation.
CAUTION:
This optional password is of high importance, if lost or forgotten there is no
way to recover it. Without this password you will not be able to upgrade Faspex, back up your
database, nor perform any of the maintenance operations listed in this section. You will have to
perform a fresh installation of Faspex 5.
During the installation you will be prompted with the following
question:
Would you like to use an optional password? Y/N (default to N)If you choose to use a password (answer Y), you will require it for maintenance
operations.
Attention: For Faspex 5.0.8 to 5.0.12 and later, when using passphrase encryption
Faspex 5 will not start automatically after a system reboot. This can lead to downtime if the system
unexpectedly restarts. If you choose not to use passphrase encryption, you can configure Faspex to
persist across reboots by enabling its
service:
systemctl enable faspexctl.serviceEnsuring Faspex persists after a reboot
Backing up secret files
After creating new secrets using faspexctl create_keys, Faspex will automatically create backups of your secret files in the /opt/aspera/faspex/conf/backup_secrets directory.
You can also manually create your own backups of
/opt/aspera/faspex/conf/secrets and
/opt/aspera/faspex/conf/secrets/keys, after successfully setting up your Faspex
machines using faspexctl setup and opting to use a password.
You will need the password for other operations such as:
| Command | Description |
|---|---|
faspexctl setup |
Faspex setup |
faspexctl restart |
Restart Faspex containers |
faspexctl unseal_secrets |
Unseal secrets |
faspexctl seal_secrets |
Encrypt secrets |
faspexctl exec |
Execute commands in containers (including backing up and restoring the database) |
faspexctl create_keys |
Create keys |
rpm -e ibm-aspera-faspex.*.rpm |
Uninstall Faspex |
rpm -Uvh ibm-aspera-faspex.*.rpm |
Upgrade Faspex |