Page History
...
The fist job encrypt-variables looks is implemented like this:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash set -e # encrypt variable values using the Agent's public key ##!include Crypto EncryptVariable myVar1 "secret1" EncryptVariable myVar2 "secret2" |
...
Second Job: decrypt-variables
The second job decrypt-variables-variables maps workflow variables to environment variables like this:
Explanation:
MY_VAR1
: environment variable that holds the encrypted value of themyVar1
workflow variable created by the encrypt-variables job.MY_VAR1_KEY
: environment variable that holds the encrypted value of the symmetric key. The variable is implicitly created by the encrypt-variables job.MY_VAR2, MY_VAR2_KEY
: similar to above variables.
The second job decrypt-variables is implemented looks like this:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash set -e # decrypt variable values using the Agent's private key ##!include Crypto secret1=$(DecryptVariable "${MY_VAR1}" "${MY_VAR1_KEY}") echo "${secret1}" secret2=$(DecryptVariable "${MY_VAR2}" "${MY_VAR2_KEY}") echo "${secret2}" |
...
- The job makes use of JS7 - Script Includes: the Crypto Script Include holds the shell functions used in the job.
- The
##!include Crypto
inserts the shell code available from the indicated Crypto Script Include. - The Script Include can be parameterized to specify the location of the private key.
##!include Crypto --replace="<private-key>","/var/sos-berlin.com/js7/agent/config/private/agent.key"
- The first argument of the
--replace
option is a placeholder available with the Crypto Script Include. - The second argument represents the value by which the placeholder will be replaced. The above value represents the default value that will be used of the Script Include is invoked without replacement options.
- The Script Include can be parameterized to specify a passphrase required by the private key.
##!include Crypto --replace="<passphrase>","jobscheduler"
- The Script Include can be invoked with repeated
--replace=<what>,<with>
options.
- The
- The
DecryptVariable
function expects the encrypted value of the variable and the encrypted value of the symmetric key:DecryptVariable
<value> <key-value> [<private-key> [,<passphrase>]]
<value>
: The encrypted value of the variable is required.<key-value>
: The value of the variable holding the encrypted symmetric key is required.<private-key>
: The path to the private key file is specified. Defaults to<agent-data>/config/private/agent.key
.<passphrase>
: The passphrase of the private key is specified.
- The function will decrypt the encrypted symmetric key and will decrypt the encrypted variable value using the decrypted symmetric key.
- The
DecryptVariable
function returns the secret that can be assigned an environment variable or other function. - It is recommended not to write the secret to a file or to perform any operation that will expose the secret to logging of output in the stdout and stderr channels.
Anchor | ||||
---|---|---|---|---|
|
The Crypto Script Include is located in the related system folder and looks is implemented like this:
Explanation:
- The Crypto Script Include implements the
EncryptVariables
andDecryptVariables
shell functions. - Both functions create a temporary file for the symmetric key. The Script Include implements a trap to reliably remove the symmetric key file on termination of the job.
- The operation of encryption and decryption is performed using the
openssl
utility.
...
Overview
Content Tools