Migrate User Keys

Key Connector provides a utility for migration from one database to another, or from one RSA key pair configuration to another. Before executing this migration, it is highly recommended that you take a backup of the database being used by Key Connector to store encrypted user keys.

avertissement

Schedule a maintenance window in which to execute the procedures in this article; they will require you to stop services which will result in downtime for users of your Bitwarden server.

Migrate to a new database

Key Connector must access a database which stored encrypted user keys for your organization members. Create a new secure database and complete the following steps to migrate user keys to it:

  1. Stop the Key Connector container.

  2. In your .bwdata/env/key-connector.override.env file, replace the existing keyConnectorSettings__database__ values with the required values for your new database (learn more).

    pointe

    Copy the old values to somewhere where you can easily access them, as you'll need them in a future step.

  3. Start the Key Connector container to initialize the database. Once it's initialize, stop the Key Connector container again.

  4. In key-connector.override.env, add the old keyConnectorSettings__database__ values back in and insert transferTo__ into each of the new values that you added in Step 2.

    For example, at this stage a configuration migrating from a local JSON file to using a Microsoft SQL Server would include the following values:

    Bash
    keyConnectorSettings__database__provider=json keyConnectorSettings__database__jsonFilePath=/etc/bitwarden/database.json keyConnectorSettings__transferTo__database__provider=sqlserver keyConnectorSettings__transferTo__database__sqlServerConnectionString={Connection_String}
  5. Restart your self-hosted Bitwarden installation in order to apply the configuration changes:

    Bash
    ./bitwarden.sh restart
  6. Now that your user keys are migrated, clean up your key-connector.override.env file. Stop the Key Connector container, remove the old values, and remove transferTo__ from each of the new values added in Step 2.

Migrate to a new RSA configuration

Key Connector uses an RSA key pair to protect user keys at rest. To migrate from your existing RSA key pair configuration:

  1. Stop the Key Connector container.

  2. In your .bwdata/env/key-connector.override.env file, add the required values for a new RSA configuration (see here) with transferTo__ inserted in each value immediately following keyConnectorSettings__.

    For example, the key-connector.override.env for a configuration migrating from a certificate stored on the filesystem to using AWS Key Management Service (KMS) would include the following values:

    Bash
    keyConnectorSettings__rsaKey__provider=certificate keyConnectorSettings__certificate__provider=filesystem keyConnectorSettings__certificate__filesystemPath=/etc/bitwarden/bw-kc.pfx keyConnectorSettings__certificate__filesystemPassword=******** keyConnectorSettings__transferTo__rsaKey__provider=awskms keyConnectorSettings__transferTo__rsaKey__awsAccessKeyId={AccessKey_Id} keyConnectorSettings__transferTo__rsaKey__awsAccessKeySecret={AccessKey_Secret} keyConnectorSettings__transferTo__rsaKey__awsRegion={Region_Name} keyConnectorSettings__transferTo__rsaKey__awsKeyId={Key_Id}

  3. Restart your self-hosted Bitwarden installation in order to apply the configuration changes:

    Bash
    ./bitwarden.sh restart

Suggérer des modifications à cette page

Comment pouvons-nous améliorer cette page pour vous ?
Pour les questions techniques, de facturation et de produits, veuillez contacter le service d'assistance.

État du nuage

Vérifier l'état

Améliorez vos connaissances en cybersécurité.

Abonnez-vous à la newsletter.


© 2024 Bitwarden, Inc. Conditions Confidentialité Paramètres des cookies Plan du site

Go to EnglishStay Here