Secrets

Suggest Edits

10. Secrets

The secrets node defines secret data that is used to obfuscate entries within the YAML configuration files.

Obfuscation Key

Specifies an obfuscation key that is used to decrypt the OBF:<data> type entries.

The obfuscation key is a passphrase that can be used to perform key derivation to generate the key used to decrypt obfuscated entries.

Example Steps:

An obfuscated entry can be generated with the following command that requires OpenSSL 1.1.1 or newer:

[demouser@demovm ~]$ echo -n "<configuration entry>" | openssl enc -aes256 \
    -pbkdf2 -pass pass:"<obfuscation key>" -md sha512 \
    -base64

U2FsdGVkX19iBhlwc53+QkybjO6RjFHhSbz4VRudYHA=

This obfuscation key and obfuscated entry can be provided in the configuration YAML.

Property

NameTypeConstraints
obf_keystring

Example

secrets:
  obf_key: "<obfuscation key>"

Encryption Key

Specifies an encryption key that is used to decrypt the ENC:<data> type entries.

The encryption key is an RSA private key that can be used to decrypt entries which were encrypted using the corresponding RSA public key.

This entry must be a PEM representation of an RSA private key, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----.

Example Steps:

An RSA key pair can be created with the following commands:

Generate the RSA private key:

[demouser@demovm ~]$ openssl genrsa -out private.pem 2048

Generate the corresponding public key:

openssl rsa -pubout -in private.pem -out public.pem

An encrypted entry can be generated with the following command by using the public key:

echo -n "<configuration entry>" | openssl rsautl
    -encrypt -inkey public.pem -pubin | base64

oYpkxULIexyLR2wUl+mz6Nfki8Pd23Fv0buZZxAuh+Cq1A677NTZwmcWcWN9+MBBVJaISNM0uIVd33/n83Awf77Q/LXtjtzsk41Ux690YVsagh75n/BPk7Ca+4txzwB48yOrTKtIRVbNC2H+Rpa/7LMNSc1Zjez9PqNO4WIa323NzKA4y3Cx1h3DTKANrgsJgXDHNWNs/Ar9pPXxSeFNGmgnYRVtEZtN73IAMs8TzNJKNGkBkmr6vdZvlkjI6ebezJS1kawDvaKQ/C5GXdbpoaJE+JYgYsHDEZLpiasn0Ii4yt3HHNKpsX0UUBSIMO3di0brjJPoJFccVPHLDYgPlw==

This encryption key and encrypted entry can be provided in the configuration YAML.

Property

NameTypeConstraints
enc_keystring

Example

secrets:
  enc_key: "@private.pem"

Updated over 1 year ago