Start the data retention bot - AWS Wickr

Start the data retention bot

Before you run the data retention bot, you should determine how you want to configure it. If you plan to run the bot on a host that:

  • Will not have access to AWS services, then your options are limited. In that case you will use the default message streaming options. You should decide whether you want to limit the size of the captured message files to a specific size or time interval. For more information, see Environment variables.

  • Will have access to AWS services, then you should create a Secrets Manager secret to store the bot credentials, and AWS service configuration details. After the AWS services are configured, you can proceed to start the data retention bot Docker image. For more information about the details you can store in a Secrets Manager secret, see Secrets Manager values

The following sections show example commands to run the data retention bot Docker image. In each of the example commands, replace the following example values with your own:

  • compliance_1234567890_bot with the name of your data retention bot.

  • password with the password for your data retention bot.

  • wickr/data/retention/bot with the name of your Secrets Manager secret to use with your data retention bot.

  • bucket-name with the name of the Amazon S3 bucket where messages and files will be stored.

  • folder-name with the folder name in the Amazon S3 bucket where messages and files will be stored.

  • us-east-1 with the AWS Region of the resource you're specifying. For example, the Region of the AWS KMS master key or the Region of the Amazon S3 bucket.

  • arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab with the Amazon Resource Name (ARN) of your AWS KMS master key to use to re-encrypt message files and files.

Start the bot with password environment variable (no AWS service)

The following Docker command starts the data retention bot. The password is specified using the WICKRIO_BOT_PASSWORD environment variable. The bot starts using the default file streaming, and using the default values defined in the Environment variables section of this guide.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ wickr/bot-compliance-cloud:latest

Start the bot with password prompt (no AWS service)

The following Docker command starts the data retention bot. Password is entered when prompted by the data retention bot. It will start using the default file streaming using the default values defined in the Environment variables section of this guide.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ wickr/bot-compliance-cloud:latest docker attach compliance_1234567890_bot . . . Enter the password:************ Re-enter the password:************

Run the bot using the -ti option to receive the password prompt. You should also run the docker attach <container ID or container name> command immediately after starting the docker image so that you get the password prompt. You should run both of these commands in a script. If you attach to the docker image and don’t see the prompt, press Enter and you will see the prompt.

Start the bot with 15 minute message file rotation (no AWS service)

The following Docker command starts the data retention bot using environment variables. It also configures it to rotate the received messages files to 15 minutes.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ -e WICKRIO_COMP_TIMEROTATE=15 \ wickr/bot-compliance-cloud:latest

Start the bot and specify the initial password with Secrets Manager

You can use the Secrets Manager to identify the data retention bot’s password. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickr/data/retention/bot' \ wickr/bot-compliance-cloud:latest

The wickrpro/compliance/compliance_1234567890_bot secret has the following secret value in it, shown as plaintext.

{ "password":"password" }

Start the bot and configure Amazon S3 with Secrets Manager

You can use the Secrets Manager to host the credentials, and the Amazon S3 bucket information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickr/data/retention/bot' \ wickr/bot-compliance-cloud:latest

The wickrpro/compliance/compliance_1234567890_bot secret has the following secret value in it, shown as plaintext.

{ "password":"password", "s3_bucket_name":"bucket-name", "s3_region":"us-east-1", "s3_folder_name":"folder-name" }

Messages and files received by the bot will be put in the bot-compliance bucket in the folder named network1234567890.

Start the bot and configure Amazon S3 and AWS KMS with Secrets Manager

You can use the Secrets Manager to host the credentials, the Amazon S3 bucket, and AWS KMS master key information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickr/data/retention/bot' \ wickr/bot-compliance-cloud:latest

The wickrpro/compliance/compliance_1234567890_bot secret has the following secret value in it, shown as plaintext.

{ "password":"password", "s3_bucket_name":"bucket-name", "s3_region":"us-east-1", "s3_folder_name":"folder-name", "kms_master_key_arn":"arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab", "kms_region":"us-east-1" }

Messages and files received by the bot will be encrypted using the KMS key identified by the ARN value, then put in the “bot-compliance'” bucket in the folder named “network1234567890”. Make sure you have the appropriate IAM policy setup.

Start the bot and configure Amazon S3 using environment variables

If you don't want to use Secrets Manager to host the data retention bot credentials, you can start the data retention bot Docker image with the following environment variables. You must identify the name of the data retention bot using the WICKRIO_BOT_NAME environment variable.

docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ -e WICKRIO_S3_BUCKET_NAME='bucket-name' \ -e WICKRIO_S3_FOLDER_NAME='folder-name' \ -e WICKRIO_S3_REGION='us-east-1' \ wickr/bot-compliance-cloud:latest

You can use environment values to identify the data retention bot’s credentials, information about Amazon S3 buckets, and configuration information for the default file streaming.