10.4. Password-protected keys
Starting with syslog-ng PE version 7.0.7, you can use password-protected private keys in the
syslog() source and destination drivers.
Hazard of data loss! If you use password-protected keys, you must provide the passphrase of the password-protected keys every time syslog-ng PE is restarted (syslog-ng PE keeps the passphrases over reloads). The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the syslog-ng PE configuration will be unaffected.
This means that if you use a password-protected key in a destination, and you use this destination in a log path that has multiple destinations, neither destinations will receive log messages until you provide the password. In such cases, always use disk-based buffering to avoid data loss.
The path and the filename of the private key cannot contain whitespaces.
Depending on your platform, the number of passwords syslog-ng PE can use at the same time might be limited (for example, on Ubuntu 16.04 you can store 16 passwords if you are running syslog-ng PE as a non-root user). If you use lots of password-protected private keys in your syslog-ng PE configuration, increase this limit using the following command: sudo ulimit -l unlimited
The syslog-ng-ctl credentials status command allows you to query the status of the private keys that syslog-ng PE uses in the
syslog() drivers. The command returns the list of private keys used, and their status. For example:
syslog-ng-ctl credentials status Secret store status: /home/user/ssl_test/client-1/client-encrypted.key SUCCESS
If the status of a key is PENDING, you must provide the passphrase for the key, otherwise syslog-ng PE cannot use it. The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the syslog-ng PE configuration will be unaffected. You must provide the passphrase of the password-protected keys every time syslog-ng PE is restarted.
The following log message also notifies you of PENDING passphrases:
Waiting for password; keyfile='private.key'
You can add the passphrase to a password-protected private key file using the following command. syslog-ng PE will display a prompt for you to enter the passphrase. We recommend that you use this method.
syslog-ng-ctl credentials add --id=<path-to-the-key>
Alternatively, you can include the passphrase in the
syslog-ng-ctl credentials add --id=<path-to-the-key> --secret=<passphrase-of-the-key>
Or you can pipe the passphrase to the syslog-ng-ctl command, for example:
echo "<passphrase-of-the-key>" | syslog-ng-ctl credentials add --id=<path-to-the-key>
For details on the syslog-ng-ctl credentials command, see the section called “Handling password-protected private keys”.