Introduction

Users find sensitive data such as passwords in a number of places:

  • Jobs that require passwords for individual access to resources such as databases, mail servers etc.
  • Credentials for JS7 - Database connections
  • Credentials for JS7 - File Transfer

Generally the best way how to securely handle passwords is not to use them. However, there can be scenarios when passwords cannot be avoided. In this situation users can encrypt and decrypt sensitive data such as passwords by use of asymmetric keys.

Download

The JS7 encryption libraries ship with JS7 Agents that can use encyption/decryption from shell jobs. In addition, the libraries are provided for download to perform encryption and decryption outside of JS7 products.

  • Encryption and decryption with PowerShell cmdlets and with the CLI for Unix Shell and Windows Shell can be used interchangeably across platforms.

The archive files of the JS7 encryption libraries (Unix: .tar.gz; Windows: .zip) hold the following files and folders:

Unix

Windows

Asymmetric Keys

Encryption and decryption make use of asymmetric X.509 Private Keys and Certificates. This includes the following roles:

  • Sender: has access to the receiver's Certificate or Public Key and encrypts a secret based on the receivers's Public Key that is directly available or that can be calculated from a Certificate.
  • Receiver: has access to the Private Key that allows decryption of the encrypted secret.

Encryption

  • A secret is encrypted using the Certificate or Public Key of the receiver that should decrypt the secret.
  • The encryption process takes the following steps:
    • Create a symmetric one-time key.
    • Encrypt the one-time key with the receiver's Public Key. If a Certificate is used then the Public Key is calculated from the Certificate.
    • Create an initialization vector that includes changing values for a "salt" to protect encrypted secrets from attacks using rainbow tables. The "salt" is no sensitive information, its knowledge will not allow more efficient attacks.
    • Encrypt the secret with the one-time key and initialization vector.
    • Drop the one-time key, only the receiver will be able to decrypt the encrypted one-time key later on.
  • The outcome of encryption that is forwarded to a receiver includes the following items:
    • encrypted one-time key,
    • initialization vector which includes the "salt",
    • encrypted secret.


Decryption

  • The receiver is the sole owner of the Private Key, which guarantees that no one else can decrypt the secret.
  • The decryption process takes the following steps:
    • Decrypt the encrypted one-time key using the Private Key.
    • Use the decrypted one-time key and initialization vector to decrypt the encrypted secret.
    • Drop the one-time key.


Integration Scenarios

JS7 encryption/decryption can be integrated in a number of ways. Frequently used scenarios include:

Further Resources