Encrypting / securing configuration properties

[puckpuck]

Feature Request

A mechanism which allows users to specify some configuration properties on a secured manner. Typical for passwords used in many of the input plugins.

Proposal:

1. (tactical, low hanging fruit) Add an option to clear environment variables post configuration initialization, and provide clear and documented instructions for users to adhere to in order to leverage environment variables in a wrapper script for the Telegraf executable.
2. (strategic, longterm) Implement a Telegraf system wide mechanism to fetch secured configuration details, which can be applied to the remainder of the configuration details. Perhaps another plugin type?

Current behavior:

Telegraf configuration is in plain text. Though you can use OS environment variables to pass entire or portion of values in the configuration.

Desired behavior:

A secured, endorsed, documented, and supported process and/or technology to increase security of Telegraf configuration details.

Use case:

Collecting metrics from remote systems that require authentication with user/password or token in a plain text configuration file is a violation to common rules within enterprise security policies.

[glinton]

Thanks for the write up, does any discussion from #3124 apply here?

[puckpuck]

yes thank you.. was search for a similar issue, and couldn't find one... Need to work on my search skills :(