Introduction

Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt

The preferred solution with JS7 is to use asymmetric keys, for details see JS7 - Encryption and Decryption.

  • Encryption and decryption can be performed directly by related jobs.
  • Encryption and decryption can be performed outside of JS7 products.
  • This includes that JS7 products have no knowledge of secret keys involved that potentially could be compromised by logging, database persistence etc.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.5.9
FEATURE AVAILABILITY STARTING FROM RELEASE 2.6.6

Download

The solution includes

The JS7 encryption libraries ship with JS7 Agents. In addition, the libraries are provided for download to perform encryption and decryption outside of JS7 products.

The following platforms are supported:

  • PowerShell cmdlets can be used with Linux, MacOS® and Windows®.
  • Encryption and decryption with PowerShell cmdlets and with the CLI for Unix Shell and Windows Shell can be used interchangeably across platforms.

Managing the Private Key and Certificate

Asymetric encryption makes use of a Private Key and Certificate/Public Key that can be created in a number of ways:

  • Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 Certificate. The Private Key or X.509 Certificate allow to derive the Public Key.
  • User can create a self-signed X.509 Certificate, see JS7 - How to create self-signed Certificates.
  • Users can create a Private Key and Certificate as explained in the next chapter.

Note: Private Keys can be protected using a passphrase that acts as a second factor when a human user will access the key: while the Private Key is in the file system, the passphrase is in the user's brains. However, this does not improve security for unattended processing: it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media.

Step 1: Creating the Private Key and Certificate

The following step is performed on the server hosting the Agent that should decrypt secrets using the openssl utility from the command line:

Example how to create ECDSA private key and certificate
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
openssl ecparam -name secp256k1 -genkey -noout -out agent.key
#   with passphrase
# openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler" -out agent.key

# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825
Example how to create RSA private key and certificate
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -keyout agent.key -out agent.crt
#   with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt

Step 2: Making the Certificate available

Copy the certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt secrets:

Encryption

Usage

PowerShell CLI 2.0 - Cmdlets - Invoke-JS7Encrypt

Return Values

The cmdlet returns a single string value that holds the following elements separated by spaces:

  • encrypted asymetric key
  • initialization vector
  • encrypted secret or path to encrypted output file if the -File and -OutFile arguments are used.

Examples

The following examples illustrate typical use cases.

Encrypting Secret using PowerShell

Example for Encryption using PowerShell
$result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value "secret" -JavaLib /js7/js7.encryption/lib
Write-Output "$result"

# encrypts the given secret using an Agent's X.509 certificate
# output includes the encrypted symmetric key, initialization vector and encrypted secret separated by space

Encrypting and forwarding Secret using PowerShell in Jobs

Example for Encryption using PowerShell
$result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value "secret" -JavaLib /js7/js7.encryption/lib
"new_var=$result" | Out-File $env:JS7_RETURN_VALUES -Append

# encrypts the given secret using an Agent's X.509 certificate
# output includes the encrypted symmetric key, initialization vector and encrypted secret separated by spaces
# output is stored to the "new_var" variable (key/value pair) that is made available for later jobs in the workflow

Encrypting File using PowerShell

Example for Encryption using PowerShell
"secret file" | Out-File /tmp/secret.txt

$result = Invoke-JS7Encrypt -File /tmp/secret.txt -OutFile /tmp/secret.txt.enc -CertificatePath agent.crt -JavaLib /js7/js7.encryption/lib
Write-Output "$result"

# encrypts the given file using an Agent's X.509 certificate and creates an encrypted output file
# output includes the encrypted symmetric key, initialization vector and path to encrypted file separated by spaces

Decryption

Usage

PowerShell CLI 2.0 - Cmdlets - Invoke-JS7Decrypt

Return Values

The cmdlet returns a single string value holding the following information:

  • decrypted secret or path to decrypted output file if the -File and -OutFile arguments are used.

Examples

The following examples illustrate typical use cases.

Decrypting Secret using PowerShell

Example for Decryption using PowerShell
# assumes that prevous encryption created a "result" variable
# $result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value "secret" -JavaLib /js7/js7.encryption/lib

$secret = Invoke-JS7Decrypt -Value $result -KeyPath agent.key -JavaLib /js7/js7.encryption/lib
Write-Output "$secret"

# decrypts the given encrypted secret using an Agent's private key
# initialization vector, encrypted symmetric key and encrypted secret are returned during encryption
# output includes the decrypted secret

Decrypting File using PowerShell

Example for Decryption using PowerShell
# assumes that prevous encryption created a "result" variable and encrypted output file
# $result = Invoke-JS7Encrypt -File /tmp/secret.txt -OutFile /tmp/secret.txt.enc -CertificatePath agent.crt -JavaLib /js7/js7.encryption/lib

Invoke-JS7Decrypt -Value $result -File /tmp/secret.txt.enc -OutFile /tmp/secret.txt.dec -KeyPath agent.key -JavaLib /js7/js7.encryption/lib
Get-Content /tmp/secret.txt.dec -Raw

# decrypts the given encrypted file using an Agent's private key
# creates the decrypted output file

Further Resources