...

The solution ships with JS7 Agents that can use encyption/decryption from shell jobs.

The In addition, the solution is provided for download to perform encryption and decryption outside of JS7 products.

• Download: JS7 - Download
• The solution is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt Variables using Unix Shell 2
• The solution is available for Windows® shell Windows® Shell.

Encryption

Usage

Invoking the script without arguments displays the usage clause:

...

Usage: js7_encrypt.cmd [Options] [Switches]

  Options:
     --cert=<path-to-certificate>  | path to X509X.509 certificate or public key file used to encrypt the secret.
     --in=<secret>                 | secret that should be encrypted.
     --infile=<path-to-file>       | path to input file.
     --outfile=<path-to-file>      | path to aoutput file that should be encrypted. 

  Switches:
     -h | --help                   | displays usage

...

• --cert
  • Specifies the path to a file that holds the CA signed or self-signed x509 X.509 certificate. Alternatively the path to a file holding the public key can be specified.
• --in
  • Specifies the input value that should be encrypted, typically a secret.
  • One of the options --in or --infile has to be specified.
• --infile
  • Specifies the path to a the input file that should be encrypted.
  • One of the options --in or --infile has to be specified.
  • This option requires use of the --outfile option.
• --outfile
  • Specifies the path to the output file that will be created holding the encrypted content of the input file.
  • The option is used if the --infile option is specified.

Switches

• -h | --help
  • Displays usage.

...

The following examples illustrate typical use cases.

Encrypting

...

Secret using Windows Shell

call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
  set encryptencrypted_symmetric_key=%%i
  set encryptencrypted_base64_iv=%%j
  set encryptencrypted_string=%%k
)

@rem encrypts the given secret using an Agent's X509X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the symmetric key, initialization vector and encrypted string separated by space that are passed to environment variables

Encrypting

...

File using Windows Shell

call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
  set encryptencrypted_symmetric_key=%%i
  set encryptencrypted_base64_iv=%%j
  set encryptencrypted_stringfile=%%k
)

@rem encrypts the given file using an Agent's X509X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output is available from the JS7_ENCRYPT_VALUE environment variable
@rem output includes the symmetric key, initialization vector and encrypted file separated by space that are passed to environment variables

...

Usage: js7_decrypt.cmd [Options] [Switches]

  Options:
     --key=<path>                  | path to private key file for decryption.
     --iv=<initialization-vector>  | base64 encoded initialization vector (returned by encryption).
     --encrypted-key=<key>         | base64 encoded encrypted symmetric key (returned by encryption).
     --in=<encrypted-secret>       | encrypted secret to decrypt (returned by encryption).
     --infile=<path-to-file>       | path to encrypted input file.
     --outfile=<path-to-file>      | path to decrypted decryptoutput file. 

  Switches Switches:
     -h | --help                   | displays usage

...

• --key
  • Specifies the path to a the private key file that matches the X509 X.509 certificate or public key used for previous encryption.
• --iv
  • Specifies the base64 encoded initialization vector as retured during encryption.
• --encrypted-key
  • Specifies the base64 encoded, encrypted symmetric key as retured during encryption.
• --in
  • Specifies the encrypted value that should be decrypted.
  • One of the options --in or --infile has to be specified.
• --infile
  • Specifies the path to an encrypted file that should be decrypted.
  • One of the options --in or --infile has to be specified.
  • This option requires use of the --outfile option.
• --outfile
  • Specifies the path to the output file that will be created holding the decrypted content of the input file.
  • The option is used if the --infile option is specified.

Switches

• -h | --help
  • Displays usage.

...

The following examples illustrate typical use cases.

Decrypting

...

Secret using Windows Shell

@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt%encrypted_base64_iv%" "--encrypted-key=%encrypt%encrypted_symmetric_key%" "--in=%encrypt%encrypted_string%"
@echo %JS7_DECRYPT_VALUE%

@rem decrypts the encrypted secret using an Agent's private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem the JS7_DECRYPT_VALUE environment variable is automatically created thatand holds the decrypted secret

Decrypting

...

File using Windows Shell

@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt%encrypted_base64_iv%" "--encrypted-key=%encrypt%encrypted_symmetric_key%" "--ininfile=%encrypt_string%%encrypted_file%" "--outfile=%TEMP%\secret.txt.decrypted"
@echo %JS7_DECRYPT_VALUE%FILE%

@rem decrypts the given encrypted file using an Agent's X509 private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable

Further Resources

• JS7 - How to encrypt and decrypt Variables
  • JS7 - How to encrypt and decrypt Variables using Unix Shell 2

...