AES256
Decodes values encoded with AES-256 to enable passing encrypted values to connectors.
Secrets will only be reloaded if the Connector restarts.
Add the plugin to the worker classloader isolation via the plugin.path option:
The provider gets AES-256 encrypted value as a key and simply decrypts it to get the value (instead of e.g. looking up for the value somewhere).
The AES-256 encryption used for the value needs to be prefixed with base64 encoded initialisation vector and a space character, the encrypted value is also base64 encoded. So to corretly encrypt value1
I need to follow following steps:
encrypted-bytes
= aes-256 encryptedvalue1
encrypted-base64
= base64encrypted-bytes
initialisation-vector
= random bytesiv-base64
= base64initialisation-vector
encrypted-value
=iv-base64
+ +encrypted-base64
Configuring the plugin
The plugin needs to be configured with secret key that will be used for decoding. The key is a string and needs to have size of 32 bytes (UTF-8 encoded).
Name | Description | Default |
---|---|---|
aes256.key | Secret key used for encrypting and decrypting the value. String of 32 bytes. |
Example worker properties file:
Usage
To use this provider in a connector, reference the keyvault containing the secret and the key name for the value of the connector property.
The indirect reference is in the form ${provider:path:key} where:
provider is the name of the provider in the worker property file set above
path used to provide encoding of the value: utf8, utf8_file, base64, base64_file
key is the AES-256 encrypted value to be decrypted by the plugin
For example, if hello
aes-256 encrypted using some key equals to xyxyxy
- then if I configure connector to use ${aes256::xyxyxy}
for a parameter value, the value should be substituted with “hello” string:
This would resolve at runtime to:
path
belonging to key reference is used to specify encoding used to pass the value. The provider supports following encodings:
base64: base-64 encoding of the textual value
base64_file: base-64 encoding of the value that when decrypted should be stored in the file
utf8_file: utf-8 encoding of the value that when decrypted should be stored in the file
utf8: utf-8 encoding of textual value
The UTF8 means the value returned is the decrypted value of the encrypted value (key). The BASE64 means the value returned is the base64 decoded decrypted value of the encrypted value (key).
If the value for the encoding is UTF8_FILE the string contents are written to a file. The name of the file will be randomply generated. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the value for the encoding is BASE64_FILE the string contents are based64 decoded and written to a file. The name of the file will be randomply generated. For example, if a connector needs a PEM file on disk, set this as the path as BASE64_FILE. The file location is determined by the file.dir configuration option given to the provider via the Connect worker.properties file.
If the key reference path is not set or is set to unknown value - utf8 encoding is used as default.
For example, if we want to save hi there !
to the file, and aes-256 encrypted content equals xyxyxy
- then if I configure connector to use ${aes256:utf8_file:xyxyxy}
for a parameter value, the provider will create new file with random name (abc-def-ghi
) and store hi there !
to the file. If configured store directory is /store-root
, he value will be substituted with /store-root/secrets/abc-def-ghi
string:
resolves to
Last updated