Introduction

Users find sensitive data such as passwords in a number of places:

• Jobs that require passwords for individual access to resources such as databases, mail servers etc.
• Credentials for JS7 - Database connections
• Credentials for JS7 - File Transfer

Generally the best way how to securely handle passwords is not to use them. However, there can be scenarios when passwords cannot be avoided. In this situation users can encrypt and decrypt sensitive data such as passwords by use of asymmetric keys.

Download

The JS7 encryption libraries ship with JS7 Agents that can use encyption/decryption from shell jobs. In addition, the libraries are provided for download to perform encryption and decryption outside of JS7 products.

• Download: JS7 - Download (Section: Utilities, Files: js7.encryption.tar.gz, js7.encryption.zip)
• The JS7 encryption libraries can be used from the below interfaces
  • a command line interface (CLI) is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt using Unix Shell
  • a CLI is available for Windows® Shell, see JS7 - How to encrypt and decrypt using Windows Shell.
  • PowerShell cmdlets can be used with Linux, MacOS® and Windows®, see JS7 - How to encrypt and decrypt using PowerShell

• Encryption and decryption with PowerShell cmdlets and with the CLI for Unix Shell and Windows Shell can be used interchangeably across platforms.

The archive files of the JS7 encryption libraries (Unix: .tar.gz; Windows: .zip) hold the following files and folders:

Unix

• js7.encryption
  • example-*.sh: sample files for creating keys and for calling encryption/decryption scripts
  • bin
    • js7_encrypt.sh: see JS7 - How to encrypt and decrypt using Unix Shell
    • js7_decrypt.sh: see JS7 - How to encrypt and decrypt using Unix Shell
    • js7_set_job_resource.sh: see JS7 - How to update a Job Resource using Unix Shell
  • lib
    • 3rd-party: libraries provided by 3rd-party projects
    • sos: libraries provided by SOS

Windows

• js7.encryption
  • example-*.cmd: sample files for creating keys and for calling encryption/decryption scripts
  • bin
    • js7_encrypt.cmd: see JS7 - How to encrypt and decrypt using Windows Shell
    • js7_decrypt.cmd: see JS7 - How to encrypt and decrypt using Windows Shell
  • lib
    • 3rd-party: libraries provided by 3rd-party projects
    • sos: libraries provided by SOS

Asymmetric Keys

Encryption and decryption make use of asymmetric X.509 Private Keys and Certificates. This includes the following roles:

• Sender: has access to the receiver's Certificate or Public Key and encrypts a secret based on the receivers's Public Key that is direclty available or that can be calculated from a Certificate.
• Receiver: has access to the Private Key that allows decryption of the encrypted secret.

Encryption

• A secret is encrypted using the Certificate or Public Key of the receiver that should decrypt the secret.
• The encryption process takes the following steps:
  • Create a symmetric one-time key.
  • Encrypt the one-time key with the receiver's Public Key. If a Certificate is used then the Public Key is calculated from the Certificate.
  • Create an initialization vector that includes changing values for a "salt" to protect encrypted secrets from attacks using rainbow tables. The "salt" is no sensitive information, its knowledge will not allow more efficient attacks.
  • Encrypt the secret with the one-time key and initialization vector.
  • Drop the one-time key, only the receiver will be able to decrypt the encrypted one-time key later on.
• The outcome of encryption that is forwarded to a receiver includes the following items:
  • encrypted one-time key,
  • initialization vector which includes the "salt",
  • encrypted secret.

Decryption

• The receiver is the sole owner of the Private Key, which guarantees that no one else can decrypt the secret.
• The decryption process takes the following steps:
  • Decrypt the encrypted one-time key using the Private Key.
  • Use the decrypted one-time key and initialization vector to decrypt the encrypted secret.
  • Drop the one-time key.

Integration Scenarios

JS7 encryption/decryption can be integrated in a number of ways. Frequently used scenarios include:

• JS7 - Encryption - Integration with Jobs
• JS7 - Encryption - Integration with Secret Manager Products

Further Resources

• JS7 - How to encrypt and decrypt Variables
  • JS7 - How to encrypt and decrypt using Unix Shell
  • JS7 - How to encrypt and decrypt using Windows Shell
  • JS7 - How to encrypt and decrypt using PowerShell
• JS7 - How to update a Job Resource using Unix Shell
• JS7 - How to update a Job Resource using PowerShell
• JS7 - How to encrypt and decrypt Database Credentials