Secrets
10. Secrets
The secrets
node defines secret data that is used to obfuscate entries within the YAML configuration files.
Obfuscation Key
Specifies an obfuscation key that is used to decrypt the OBF:<data>
type entries.
The obfuscation key is a passphrase that can be used to perform key derivation to generate the key used to decrypt obfuscated entries.
Example Steps:
An obfuscated entry can be generated with the following command that requires OpenSSL 1.1.1 or newer:
[demouser@demovm ~]$ echo -n "<configuration entry>" | openssl enc -aes256 \
-pbkdf2 -pass pass:"<obfuscation key>" -md sha512 \
-base64
U2FsdGVkX19iBhlwc53+QkybjO6RjFHhSbz4VRudYHA=
This obfuscation key and obfuscated entry can be provided in the configuration YAML.
Property
Name | Type | Constraints |
---|---|---|
obf_key | string |
Example
secrets:
obf_key: "<obfuscation key>"
Encryption Key
Specifies an encryption key that is used to decrypt the ENC:<data>
type entries.
The encryption key is an RSA private key that can be used to decrypt entries which were encrypted using the corresponding RSA public key.
This entry must be a PEM representation of an RSA private key, beginning with -----BEGIN RSA PRIVATE KEY-----
and ending with -----END RSA PRIVATE KEY-----
.
Example Steps:
An RSA key pair can be created with the following commands:
Generate the RSA private key:
[demouser@demovm ~]$ openssl genrsa -out private.pem 2048
Generate the corresponding public key:
openssl rsa -pubout -in private.pem -out public.pem
An encrypted entry can be generated with the following command by using the public key:
echo -n "<configuration entry>" | openssl rsautl
-encrypt -inkey public.pem -pubin | base64
oYpkxULIexyLR2wUl+mz6Nfki8Pd23Fv0buZZxAuh+Cq1A677NTZwmcWcWN9+MBBVJaISNM0uIVd33/n83Awf77Q/LXtjtzsk41Ux690YVsagh75n/BPk7Ca+4txzwB48yOrTKtIRVbNC2H+Rpa/7LMNSc1Zjez9PqNO4WIa323NzKA4y3Cx1h3DTKANrgsJgXDHNWNs/Ar9pPXxSeFNGmgnYRVtEZtN73IAMs8TzNJKNGkBkmr6vdZvlkjI6ebezJS1kawDvaKQ/C5GXdbpoaJE+JYgYsHDEZLpiasn0Ii4yt3HHNKpsX0UUBSIMO3di0brjJPoJFccVPHLDYgPlw==
This encryption key and encrypted entry can be provided in the configuration YAML.
Property
Name | Type | Constraints |
---|---|---|
enc_key | string |
Example
secrets:
enc_key: "@private.pem"
Updated about 2 years ago