Introduction
Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt Variables
...
Display feature availability |
---|
|
Download
The solution ships with JS7 Agents that can use encyption/decryption from shell jobs.
...
- Download: JS7 - Download
- The solution is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt Variables using Unix Shell 2
- The solution is available for Windows® Shell.
Encryption
Usage
Invoking the script without arguments displays the usage clause:
...
Code Block |
---|
|
Usage: js7_encrypt.cmd [Options] [Switches]
Options:
--cert=<path-to-certificate> | path to X.509 certificate or public key file used to encrypt the secret.
--in=<secret> | secret that should be encrypted.
--infile=<path-to-file> | path to input file.
--outfile=<path-to-file> | path to output file that should be encrypted.
Switches:
-h | --help | displays usage |
Options
--cert
- Specifies the path to a file that holds the CA signed or self-signed X.509 certificate. Alternatively the path to a file holding the public key can be specified.
--in
- Specifies the input value that should be encrypted, typically a secret.
- One of the options
--in
or --infile
has to be specified.
--infile
- Specifies the path to the input file that should be encrypted.
- One of the options
--in
or --infile
has to be specified. - This option requires use of the
--outfile
option.
--outfile
- Specifies the path to the output file that will be created holding the encrypted content of the input file.
- The option is used if the
--infile
option is specified.
Switches
Exit Codes
1
: argument errors2
: processing errors
Examples
The following examples illustrate typical use cases.
Encrypting Secret using Windows Shell
Code Block |
---|
title | Example for Encryption using Windows Shell |
---|
linenumbers | true |
---|
|
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"
for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
set encrypted_symmetric_key=%%i
set encrypted_base64_iv=%%j
set encrypted_string=%%k
)
@rem encrypts the given secret using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the symmetric key, initialization vector and encrypted string separated by space that are passed to environment variables |
Encrypting File using Windows Shell
Code Block |
---|
title | Example for Encryption using Windows Shell |
---|
linenumbers | true |
---|
|
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"
for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
set encrypted_symmetric_key=%%i
set encrypted_base64_iv=%%j
set encrypted_file=%%k
)
@rem encrypts the given file using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output is available from the JS7_ENCRYPT_VALUE environment variable
@rem output includes the symmetric key, initialization vector and encrypted file separated by space that are passed to environment variables |
Decryption
Usage
Invoking the script without arguments displays the usage clause:
...
Code Block |
---|
|
Usage: js7_decrypt.cmd [Options] [Switches]
Options:
--key=<path> | path to private key file for decryption.
--iv=<initialization-vector> | base64 encoded initialization vector (returned by encryption).
--encrypted-key=<key> | base64 encoded encrypted symmetric key (returned by encryption).
--in=<encrypted-secret> | encrypted secret to decrypt (returned by encryption).
--infile=<path-to-file> | path to encrypted input file.
--outfile=<path-to-file> | path to decrypted output file.
Switches:
-h | --help | displays usage |
Options
--key
- Specifies the path to a the private key file that matches the X.509 certificate or public key used for previous encryption.
--iv
- Specifies the base64 encoded initialization vector as retured during encryption.
--encrypted-key
- Specifies the base64 encoded, encrypted symmetric key as retured during encryption.
--in
- Specifies the encrypted value that should be decrypted.
- One of the options
--in
or --infile
has to be specified.
--infile
- Specifies the path to an encrypted file that should be decrypted.
- One of the options
--in
or --infile
has to be specified. - This option requires use of the
--outfile
option.
--outfile
- Specifies the path to the output file that will be created holding the decrypted content of the input file.
- The option is used if the
--infile
option is specified.
Switches
Exit Codes
1
: argument errors2
: processing errors
Examples
The following examples illustrate typical use cases.
Decrypting Secret using Windows Shell
Code Block |
---|
title | Example for Decryption using Windows Shell |
---|
linenumbers | true |
---|
|
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypted_base64_iv%" "--encrypted-key=%encrypted_symmetric_key%" "--in=%encrypted_string%"
@echo %JS7_DECRYPT_VALUE%
@rem decrypts the encrypted secret using an Agent's private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem the JS7_DECRYPT_VALUE environment variable is automatically created and holds the decrypted secret |
Decrypting File using Windows Shell
Code Block |
---|
title | Example for Decryption using Windows Shell |
---|
linenumbers | true |
---|
|
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypted_base64_iv%" "--encrypted-key=%encrypted_symmetric_key%" "--infile=%encrypted_file%" "--outfile=%TEMP%\secret.txt.decrypted"
@echo %JS7_DECRYPT_FILE%
@rem decrypts the given encrypted file using an Agent's private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable |
Further Resources