JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 20

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The preferred solution with JS7 is use of asymmetric keys:

  • JS7 - Encryption and decryption is Decryption can be performed directly by scripts that can be are used outside of JS7 products or by related jobs.
  • No JS7 product is directly involved in encryption/decryption as otherwise the JS7 product would know the keys involved that potentially could be compromised by logging, database persistence etc.
  • Performing encryption/decryption by jobs limits the attack surface to the OS process executing the job. The job implementation is controlled by the user who can verify secure operation.

...

Encryption and decryption use asymmetric keys like this:

...

, for details see JS7 - Encryption and Decryption:

Encryption

Use with Variables

The value of a variable can be encrypted using scripts:

When executed from jobs then the encrypted secret can be stored to a variable that is made available to later jobs in the workflow.


Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Secret [label="   Secret   ",style="filled",fillcolor="lightskyblue"]
    Encrypted_Secret [label="   Encrypted Secret      Variable holding Encrypted Secret   ",style="filled",fillcolor="dodgerblue"]
    Certificate [shape="ellipse",label="Certificate / Public Key",style="filled",fillcolor="orange"]

    Encrypt [shape="rectangle",label="Script\njs7_encrypt.sh | .cmd",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] 

    subgraph encrypt {
        label = "\n............................................. Encrypt .............................................\n\n";
        fontname="Arial";
        fontsize="12pt";

        Secret -> Encrypt; 
        Certificate -> Encrypt;
        Encrypt -> Encrypted_Secret [label="encrypt",fontname="Arial",fontsize="10pt"]; 
    }
}

Use with Job Resources

The value of a variable is encrypted and is stored to JS7 - Job Resources using scripts:

The Job Resource can be accessed by any jobs in the same or in other workflows.


Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Secret [label="   Secret   ",style="filled",fillcolor="lightskyblue"]
    Encrypted_Secret [label="   Job Resource Variable holding Encrypted Secret   ",style="filled",fillcolor="dodgerblue"]
    Certificate [shape="ellipse",label="Certificate / Public Key",style="filled",fillcolor="orange"]

    Encrypt [shape="rectangle",label="Script\njs7_set_job_resource.sh | .cmd",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] 

    subgraph encrypt {
        label = "\n............................................. Encrypt .............................................\n\n";
        fontname="Arial";
        fontsize="12pt";

        Secret -> Encrypt; 
        Certificate -> Encrypt;
        Encrypt -> Encrypted_Secret [label="encrypt",fontname="Arial",fontsize="10pt"]; 
    }
}

Decryption

Encrypted secrets are made available from variables. This similarly works for variables that are created by predecessor jobs on the fly and by Job Resources. Workflow variables are made available from OS environment variables.

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Encrypted_Secret [label="   Encrypted Secret      Variable holding Encrypted Secret   ",style="filled",fillcolor="dodgerblue"]
    Decrypted_Secret [label="   Secret     Secret   ",style="filled",fillcolor="lightskyblue"]
    PrivateKey [shape="ellipse",label="Private Key",style="filled",fillcolor="orange"]

    Decrypt [shape="rectangle",label="Script\njs7_decrypt.sh | .cmd",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] 
 
      subgraph decrypt {
        label = "\n............................................. Decrypt .............................................\n\n";
        fontname="Arial";
        fontsize="12pt";

        Encrypted_Secret -> Decrypt;
        PrivateKey -> Decrypt;
        Decrypt -> Decrypted_Secret [label="decrypt",fontname="Arial",fontsize="10pt"];
    }
}

...

  • Consider the parties involved and related use cases:
    • A job executed on Agent A
    • should be parameterized by a variable holding a secret.
    • A job executed on Agent B retrieves a secret that should be forwarded to a job on Agent A and possibly to other Agents too.
  • Use of asymmetric keys allows 
    • to create and to store a private key on Agent A.
    • to use Agent A's public key on Agent B or any other system involved.
    • to manage encryption and decryption like this:
      • create a symmetric one-time key and an encrypted copy of the key derived from Agent A's public key.
      • encrypt the value of a variable value with the one-time key.
      • drop the one-time key and forward the encrypted copy of the one-time key and the variable holding the encrypted value to Agent A.
      • only Agent A will be able to decrypt the encrypted one-time key using its private key which reveals the symmetric key required to decrypt the variable's value.

...