# create Private Key
openssl ecparam -name secp384r1 -genkey -noout -out encrypt.key

# create Certificate Signing Request, adjust the subject to your needs
openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt"

# create Certificate, adjust the validity period to your needs
openssl x509 -req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n")


# encrypt athe secret such as a passwordpassword "root" using the Certificate, the encryption result will be returned and will look like: enc:BEXbHYa...
MY_JS7_PASSWORD=$(./deploy-workflow.sh  encrypt --in="root" --cert=encrypt.crt)

# store the environment variable to your profile ($HOME/.bash_profile or similar) to make the encrypted password available to the shell
# export MY_JS7_PASSWORD=enc:BEXbHYa...


# options for connection to the JS7 REST API can specify the encryption result as password and the Private Key for decryption
request_options=(--url=http://localhost:4446 --user=root --password="enc:BEXbHYa...$MY_JS7_PASSWORD" --key=encrypt.key --controller-id=controller)

 # for example, when exporting workflows the Private Key is used to decrypt the password for access to the REST API on-the-fly
./deploy-workflow.sh export "${request_options[@]}" --file=export.zip --path=/ap/ap3jobs,/ap/Agent/apRunAsUser --type=WORKFLOW

# decrypt an encrypted secret using the Private Key
./deploy-workflow.sh decrypt --in="enc:BEXbHYa..." --key=encrypt.key