Introduction
Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt Variables
The preferred solution with JS7 is to use asymmetric keys:
- Encryption and decryption can be performed directly by related jobs.
- Encryption and decryption can be performed outside of JS7 products.
- This includes that JS7 products have no knowledge of secret keys involved that potentially could be compromised by logging, database persistence etc.
Download
The solution ships with JS7 Agents that can use encyption/decryption from shell jobs.
In addition, the solution is provided for download to perform encryption and decryption outside of JS7 products.
- Download: JS7 - Download
- The solution is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt Variables using Unix Shell 2
- The solution is available for Windows® Shell.
Encryption
Usage
Invoking the script without arguments displays the usage clause:
Usage
Usage: js7_encrypt.cmd [Options] [Switches]
Options:
--cert=<path-to-certificate> | path to X.509 certificate or public key file used to encrypt the secret.
--in=<secret> | secret that should be encrypted.
--infile=<path-to-file> | path to input file.
--outfile=<path-to-file> | path to output file that should be encrypted.
Switches:
-h | --help | displays usage
Options
--cert- Specifies the path to a file that holds the CA signed or self-signed X.509 certificate. Alternatively the path to a file holding the public key can be specified.
--in- Specifies the input value that should be encrypted, typically a secret.
- One of the options
--inor--infilehas to be specified.
--infile- Specifies the path to the input file that should be encrypted.
- One of the options
--inor--infilehas to be specified. - This option requires use of the
--outfileoption.
--outfile- Specifies the path to the output file that will be created holding the encrypted content of the input file.
- The option is used if the
--infileoption is specified.
Switches
-h | --help- Displays usage.
Exit Codes
1: argument errors2: processing errors
Examples
The following examples illustrate typical use cases.
Encrypting Secret using Windows Shell
Example for Encryption using Windows Shell
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"
for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
set encrypted_symmetric_key=%%i
set encrypted_base64_iv=%%j
set encrypted_string=%%k
)
@rem encrypts the given secret using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the symmetric key, initialization vector and encrypted string separated by space that are passed to environment variables
Encrypting File using Windows Shell
Example for Encryption using Windows Shell
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"
for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
set encrypted_symmetric_key=%%i
set encrypted_base64_iv=%%j
set encrypted_file=%%k
)
@rem encrypts the given file using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output is available from the JS7_ENCRYPT_VALUE environment variable
@rem output includes the symmetric key, initialization vector and encrypted file separated by space that are passed to environment variables
Decryption
Usage
Invoking the script without arguments displays the usage clause:
Usage
Usage: js7_decrypt.cmd [Options] [Switches]
Options:
--key=<path> | path to private key file for decryption.
--iv=<initialization-vector> | base64 encoded initialization vector (returned by encryption).
--encrypted-key=<key> | base64 encoded encrypted symmetric key (returned by encryption).
--in=<encrypted-secret> | encrypted secret to decrypt (returned by encryption).
--infile=<path-to-file> | path to encrypted input file.
--outfile=<path-to-file> | path to decrypted output file.
Switches:
-h | --help | displays usage
Options
--key- Specifies the path to a the private key file that matches the X.509 certificate or public key used for previous encryption.
--iv- Specifies the base64 encoded initialization vector as retured during encryption.
--encrypted-key- Specifies the base64 encoded, encrypted symmetric key as retured during encryption.
--in- Specifies the encrypted value that should be decrypted.
- One of the options
--inor--infilehas to be specified.
--infile- Specifies the path to an encrypted file that should be decrypted.
- One of the options
--inor--infilehas to be specified. - This option requires use of the
--outfileoption.
--outfile- Specifies the path to the output file that will be created holding the decrypted content of the input file.
- The option is used if the
--infileoption is specified.
Switches
-h | --help- Displays usage.
Exit Codes
1: argument errors2: processing errors
Examples
The following examples illustrate typical use cases.
Decrypting Secret using Windows Shell
Example for Decryption using Windows Shell
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypted_base64_iv%" "--encrypted-key=%encrypted_symmetric_key%" "--in=%encrypted_string%" @echo %JS7_DECRYPT_VALUE% @rem decrypts the encrypted secret using an Agent's private key @rem consider that for Windows Shell all arguments have to be quoted @rem the JS7_DECRYPT_VALUE environment variable is automatically created and holds the decrypted secret
Decrypting File using Windows Shell
Example for Decryption using Windows Shell
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypted_base64_iv%" "--encrypted-key=%encrypted_symmetric_key%" "--infile=%encrypted_file%" "--outfile=%TEMP%\secret.txt.decrypted" @echo %JS7_DECRYPT_FILE% @rem decrypts the given encrypted file using an Agent's private key @rem consider that for Windows Shell all arguments have to be quoted @rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable
Further Resources
Overview
Content Tools