Encryption - Cloosphere Guide

Admin › Settings › Encryption

Choose the key management backend (KMS, Key Management System) that encrypts sensitive settings — Config secrets, database connections, tool connection keys, license tokens, and more.

KMS Providers

Provider	Description
Local (Fernet)	Built-in Fernet encryption based on `WEBUI_SECRET_KEY`. No external dependency

Switching providers does not automatically migrate existing data. Legacy ciphertext continues to decrypt via fallback, so nothing breaks immediately, but run the migration below to unify everything under the new provider.

Migrating Existing Data

Running Migrate existing data re-encrypts all legacy ciphertext with the currently configured provider.

Targets: Config secrets · DbSphere connections · tool connection keys · license tokens
Idempotent, so it is safe to re-run.

Audit Log · Integrity Check

Every KMS wrap, unwrap, rotate, and health-check operation is recorded in a tamper-evident hash chain. Tampering with a past entry breaks the chain at verification time.

Action	Description
Integrity check	Verify the integrity of the audit log hash chain
Connection test	Check the current KMS provider connection status

You can view the full audit records and integrity verification in Monitoring › KMS Audit.

Database Monitoring

​KMS Providers

​Migrating Existing Data

​Audit Log · Integrity Check

KMS Providers

Migrating Existing Data

Audit Log · Integrity Check