Page History
| Table of Contents |
|---|
Introduction
Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables:
...
- JS7 - Encryption and Decryption can be performed directly by scripts that are used outside of JS7 products or by related jobs.
- No JS7 product is directly involved in encryption/decryption as otherwise the JS7 product would know the keys involved that potentially could be compromised by logging, database persistence etc.
- Performing encryption/decryption by jobs limits the attack surface to the OS process executing the job. The job implementation is controlled by the user who can verify secure operation.
For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.
Asymmetric Keys
Encryption and decryption use asymmetric keys, for details see JS7 - Encryption and Decryption:
Encryption
Use with Variables
The value of a variable can be encrypted using shell scripts and cmdlets:
...
| Graphviz | ||
|---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Secret [label=" Secret ",style="filled",fillcolor="limegreen",fontname="Arial",fontsize="12pt"]
Encrypted_Secret [label=" Variable holding Encrypted Secret ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
Certificate [shape="ellipse",label="Certificate / Public Key",style="filled",fillcolor="orange",fontname="Arial",fontsize="12pt"]
Encrypt [shape="rectangle",label="Encrypt\njs7_encrypt.sh | .cmd\nInvoke-JS7Encrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
subgraph encrypt {
fontname="Arial";
fontsize="12pt";
Secret -> Encrypt;
Certificate -> Encrypt;
Encrypt -> Encrypted_Secret [label="encrypt",fontname="Arial",fontsize="10pt"];
}
} |
Use with Job Resources
The value of a variable is encrypted and is stored to JS7 - Job Resources using shell scripts or cmdlets:
...
| Graphviz | ||
|---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Secret [label=" Secret ",style="filled",fillcolor="limegreen",fontname="Arial",fontsize="12pt"]
Encrypted_Secret [label=" Job Resource Variable holding Encrypted Secret ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
Certificate [shape="ellipse",label="Certificate / Public Key",style="filled",fillcolor="orange",fontname="Arial",fontsize="12pt"]
Encrypt [shape="rectangle",label="Encrypt\njs7_set_job_resource.sh\nSet-JS7-JobResource",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
subgraph encrypt {
fontname="Arial";
fontsize="12pt";
Secret -> Encrypt;
Certificate -> Encrypt;
Encrypt -> Encrypted_Secret [label="encrypt",fontname="Arial",fontsize="10pt"];
}
} |
Decryption
Encrypted secrets are made available from variables. This similarly works for variables that are created by predecessor jobs on the fly and by Job Resources. For shell jobs workflow variables are made available from OS environment variables.
...
- Consider the parties involved and related use cases:
- A job executed on Agent A should be parameterized by a variable holding a secret.
- A job executed on Agent B retrieves a secret that should be forwarded to the job on Agent A and possibly to other Agents too.
- Use of asymmetric keys allows
- to create and to store a Private Key on Agent A.
- to use Agent A's Certifidate Certificate or Public Key on Agent B or on any other system involved.
- to manage encryption and decryption like this:
- create a symmetric one-time key and an encrypted copy of the key from Agent A's Certificate/Public Key.
- encrypt the value of a variable with the one-time key.
- drop the one-time key and forward the encrypted copy of the one-time key and the variable holding the encrypted value to Agent A.
- only Agent A will be able to decrypt the encrypted one-time key using its Private Key which provides the symmetric key required to decrypt the variable's value.
- Find details from JS7 - Encryption and Decryption.
Resources
| Display children header |
|---|
Overview
Content Tools