NATS Docs
NATS.ioTwitterSlackGitHub
Search…
Welcome
Release Notes
What's New!
NATS Concepts
Overview
What is NATS
Subject-Based Messaging
Core NATS
JetStream
Subject Mapping and Traffic Shaping
NATS service infrastructure
Security
Connectivity
Using NATS
NATS Tools
Developing With NATS
Running a NATS service
Installing, running and deploying a NATS Server
NATS and Docker
NATS and Kubernetes
NATS Server Clients
Configuring NATS Server
Managing and Monitoring your NATS Server Infrastructure
Monitoring
Managing JetStream
Account Information
Naming Streams, Consumers, and Accounts
Streams
Consumers
Data Replication
Disaster Recovery
Encryption at Rest
Managing NATS Security
Upgrading a Cluster
Slow Consumers
Signals
Lame Duck Mode
Reference
FAQ
NATS Protocols
Legacy
STAN aka 'NATS Streaming'
nats-account-server
Powered By GitBook
Encryption at Rest
Supported since NATS server version 2.3
The NATS server can be configured to encrypt message blocks when storing them, providing encryption at rest. This can be enabled through configuration. For these examples, assume the file is named js.conf and is in the local directory of the NATS server. We normally recommend file system encryption rather than JetStream encryption at rest.
1
jetstream : {
2
key : “mykey”
3
store_dir: datastore
4
}
Copied!
It is recommended to provide the encryption key through an environment variable, such as JS_KEY so it will not be persisted in a file.
1
jetstream : {
2
key: $JS_KEY
3
store_dir: datastore
4
}
Copied!
You can pass this from the command line this way:
1
env JS_KEY="mykey" nats-server -c js.conf
Copied!
We currently support two ciphers for encryption: ChaChaPoly20 and XChaChaPoly1305. The default selected cipher depends on the platform.
Note that message blocks are encrypted which includes message headers and payloads. Other metadata files are encrypted as well, such as the stream metadata file and consumer metadata files.
Starting a server with encryption enabled against a datastore that was not encrypted may result in failures when it comes to decrypting message blocks, which may not happen immediately upon startup. Instead, it will happen when attempting to deliver messages to consumers. However, when possible, the server will detect if the data was not encrypted and return the data without attempting to decrypt it.
If the data is encrypted with a key and the server is restarted with a different key, the server will fail to decrypt messages when attempting to load them from the store. The server will still be active to support core NATS functionality. If this happens, you’ll see log messages like the following:
1
Error decrypting our stream metafile: chacha20poly1305: message authentication failed
Copied!
Performance considerations: As expected, encryption is likely to decrease performance, but by how much is hard to define. In some performance tests on a MacbookPro 2.8 GHz Intel Core i7 with SSD, we have observed as little as 1% decrease to more than 30%. In addition to CPU cycles required for encryption, the encrypted files may be larger, which results in more data being stored or read.
Previous
Disaster Recovery
Next
Managing NATS Security
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub