Page History
...
The solution ships with JS7 Agents that can use encyption/decryption from shell jobs.
The In addition, the solution is provided for download to perform encryption and decryption outside of JS7 products.
- Download: JS7 - Download
- The solution is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt Variables using Unix Shell 2
- The solution is available for Windows® shell Windows® Shell.
Encryption
Usage
Invoking the script without arguments displays the usage clause:
...
Code Block | ||
---|---|---|
| ||
Usage: js7_encrypt.cmd [Options] [Switches] Options: --cert=<path-to-certificate> | path to X509X.509 certificate or public key file used to encrypt the secret. --in=<secret> | secret that should be encrypted. --infile=<path-to-file> | path to input file. --outfile=<path-to-file> | path to aoutput file that should be encrypted. Switches: -h | --help | displays usage |
...
--cert
- Specifies the path to a file that holds the CA signed or self-signed x509 X.509 certificate. Alternatively the path to a file holding the public key can be specified.
--in
- Specifies the input value that should be encrypted, typically a secret.
- One of the options
--in
or--infile
has to be specified.
--infile
- Specifies the path to a the input file that should be encrypted.
- One of the options
--in
or--infile
has to be specified. - This option requires use of the
--outfile
option.
--outfile
- Specifies the path to the output file that will be created holding the encrypted content of the input file.
- The option is used if the
--infile
option is specified.
Switches
-h | --help
- Displays usage.
...
The following examples illustrate typical use cases.
Encrypting
...
Secret using Windows Shell
Code Block | ||||
---|---|---|---|---|
| ||||
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret" for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do ( set encryptencrypted_symmetric_key=%%i set encryptencrypted_base64_iv=%%j set encryptencrypted_string=%%k ) @rem encrypts the given secret using an Agent's X509X.509 certificate @rem consider that for Windows Shell all arguments have to be quoted @rem output includes the symmetric key, initialization vector and encrypted string separated by space that are passed to environment variables |
Encrypting
...
File using Windows Shell
Code Block | ||||
---|---|---|---|---|
| ||||
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted" for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do ( set encryptencrypted_symmetric_key=%%i set encryptencrypted_base64_iv=%%j set encryptencrypted_stringfile=%%k ) @rem encrypts the given file using an Agent's X509X.509 certificate @rem consider that for Windows Shell all arguments have to be quoted @rem output is available from the JS7_ENCRYPT_VALUE environment variable @rem output includes the symmetric key, initialization vector and encrypted file separated by space that are passed to environment variables |
...
Code Block | ||
---|---|---|
| ||
Usage: js7_decrypt.cmd [Options] [Switches] Options: --key=<path> | path to private key file for decryption. --iv=<initialization-vector> | base64 encoded initialization vector (returned by encryption). --encrypted-key=<key> | base64 encoded encrypted symmetric key (returned by encryption). --in=<encrypted-secret> | encrypted secret to decrypt (returned by encryption). --infile=<path-to-file> | path to encrypted input file. --outfile=<path-to-file> | path to decrypted decryptoutput file. Switches Switches: -h | --help | displays usage |
...
--key
- Specifies the path to a the private key file that matches the X509 X.509 certificate or public key used for previous encryption.
--iv
- Specifies the base64 encoded initialization vector as retured during encryption.
--encrypted-key
- Specifies the base64 encoded, encrypted symmetric key as retured during encryption.
--in
- Specifies the encrypted value that should be decrypted.
- One of the options
--in
or--infile
has to be specified.
--infile
- Specifies the path to an encrypted file that should be decrypted.
- One of the options
--in
or--infile
has to be specified. - This option requires use of the
--outfile
option.
--outfile
- Specifies the path to the output file that will be created holding the decrypted content of the input file.
- The option is used if the
--infile
option is specified.
Switches
-h | --help
- Displays usage.
...
The following examples illustrate typical use cases.
Decrypting
...
Secret using Windows Shell
Code Block | ||||
---|---|---|---|---|
| ||||
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt%encrypted_base64_iv%" "--encrypted-key=%encrypt%encrypted_symmetric_key%" "--in=%encrypt%encrypted_string%" @echo %JS7_DECRYPT_VALUE% @rem decrypts the encrypted secret using an Agent's private key @rem consider that for Windows Shell all arguments have to be quoted @rem the JS7_DECRYPT_VALUE environment variable is automatically created thatand holds the decrypted secret |
Decrypting
...
File using Windows Shell
Code Block | ||||
---|---|---|---|---|
| ||||
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt%encrypted_base64_iv%" "--encrypted-key=%encrypt%encrypted_symmetric_key%" "--ininfile=%encrypt_string%%encrypted_file%" "--outfile=%TEMP%\secret.txt.decrypted" @echo %JS7_DECRYPT_VALUE%FILE% @rem decrypts the given encrypted file using an Agent's X509 private key @rem consider that for Windows Shell all arguments have to be quoted @rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable |
Further Resources
...
Overview
Content Tools