Automation: Including Encrypted Passwords in Recipes

Learn how to generate encrypted passwords and use them in recipe files.

For general information about using automation recipes, and simple examples to get you started, refer to the files below.

Note: Automation is valid for Linux only. It is not valid for Windows at this time.

Table of Contents

Overview

When using automation recipes, in some cases it's important that credentials are encrypted for security reasons.

Automation functionality includes an encryption feature that uses a secret directive to indicate that a value is encrypted, and can be decrypted using the key in the secrets file.

The basic steps are:

  1. Create an encryption key and store it in a file. For example, the command below creates an encryption key and stores it in a file named secret.key:
    ./jython.sh -m akana.secrets --keygen --secrets-file secret.key
  2. Encrypt a value, or a set of values, that will be used in executing a recipe using the generated key. For example:
    ./jython.sh -m akana.secrets --encrypt --secrets-file secret.key "some value"

    This prints the encrypted value into console output; for example:

    secret:some_hash
  3. Use the encrypted value in a properties file.

Creating the encryption key

To create an encryption key, use the following command:

./jython.sh -m akana.secrets --keygen --secrets-file secret.key

In the above:

  • akana.secrets is the name of the automation module that supports managing encryption in automation recipes.
  • --keygen is the option to generate the encryption key.
  • --secrets-file specifies the user-defined name of the file where the encryption key is stored (in this case, secret.key).

Encrypting a value

To encrypt a value, use the following command:

./jython.sh -m akana.secrets --encrypt --secrets-file secret.key "some value"

In the above:

  • akana.secrets is the name of the automation module that supports managing encryption in automation recipes.
  • --encrypt is the option to encrypt a value.
  • --secrets-file specifies the user-defined name of the file where the encryption key is stored (in this case, secret.key).

    Note: As an alternative to --secrets-file, you could use: -s {filename}.

  • "some value" is the value to be encrypted.

Using the encrypted value in a properties file

Let's say you need to configure automation recipes with encryption, and there are two passwords, one for the database administration and one for the database schema.

The default recipes include the following:

"name":"set.database.options",
"properties":{
  "admin.username":"${DB_ADMIN_USERNAME|root}",
  "admin.password":"${DB_ADMIN_PASSWORD|password}",
  "user":"${DB_USERNAME|user123}",
  "password":"${DB_PASSWORD|password}",

In this scenario, the DB_ADMIN_PASSWORD and DB_PASSWORD values would be encrypted separately using the same key file.

For example, for this recipe variable:

${DB_ADMIN_PASSWORD}

The entry in the properties file might be:

DB_ADMIN_PASSWORD=secret:VdRdHt61SENlNrufQw2maonU9jZEcNMrprE5L_HDBrE

Executing a recipe with encrypted properties

Once you've generated the password, and updated the properties file with the encrypted values, you'll need to pass the key file when executing a recipe with encrypted properties.

An example is shown below.

/opt/akana/bin/jython.sh -m akana.container --secrets-file=secret.key --recipe <recipe name> --props <properties file>

In the above:

  • --secrets-file specifies the user-defined name and path for the file where the encryption key is stored (in this case, secret.key).
  • --recipe <recipe name> is the recipe filename and path.
  • --props <properties file> is the properties file for the recipe.