Store Encryption

It is recommended to provide the encryption key through the environment variable NATS_STREAMING_ENCRYPTION_KEY instead of . If encryption is enabled and NATS_STREAMING_ENCRYPTION_KEY is found, this will take precedence over encryption_key value.

You can pass this from the command line this way:

or, to select AES:

Note that only message payload is encrypted, all other data stored by NATS Streaming server is not.

Starting a server with against a datastore that was not encrypted may result in failures when it comes to decrypt a message, which may not happen immediately upon startup. Instead, it will happen when attempting to deliver messages to consumers. However, when possible, the server will detect if the data was not encrypted and return the data without attempting to decrypt it. The server will also detect which cipher was used to encrypt the data and use the proper cipher to decrypt, even if this is not the currently selected cipher.

If the data is encrypted with a key and the server is restarted with a different key, the server will fail to decrypt messages when attempting to load them from the store.