.png?sv=2022-11-02&spr=https&st=2024-09-19T16%3A41%3A26Z&se=2024-09-19T16%3A51%3A26Z&sr=c&sp=r&sig=Rs4lrDjrvL0xWL3MnwvaGUO8G6MMSwxpsLfH%2F0Rb%2B2A%3D){kind=logo}
Automatic Property Encryption
- 30 Mar 2024
-
DarkLight
-
PDF
Automatic Property Encryption
- Updated on 30 Mar 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
For most sensitive properties within IAP, it is no longer necessary to manually create secrets within Vault to handle encryption. Instead, if Vault is configured, these propertes will be automatically encrypted. For example, to create a Vault secret for an IAP profile with a mongodb.password property, all that is required is to call the API to create the profile, or create the profile in the UI, and ensure that the mongodb.password property is filled out in plaintext. This property will not be stored in the database, but instead stored in Vault. Likewise, to update that password, such as when key rotation is needed, simply calling the update API for profiles, or updating it via the UI, with the plaintext password included in the request body.
⚠ Using $ENC or $SECRET syntax for these properties is heavily discouraged, as no "double encryption" will ever be performed on those properties.
Adapters
If an adapter has a property that will be automatically encrypted, this property will display in the form view as a value that is starred out (*****).
Figure 1: Adapter Configuration
If this property already exists, or is being edited, differently-styled stars will appear for the value. From this view it is not possible to see the value that is being typed.
Figure 2: Adapter Configuration Update
In the advanced view, it is possible to see the value being typed, although it will never be starred if it already exists. Instead, it will display as an empty string regardless of the actual value. It will also appear with a different tooltip display indicating it has an encrypted property.
Figure 3: Adapter Configuration Advanced View
Integrations
If an integration has a property that will be automatically encrypted, this property will display in the form view as a starred out value. These encrypted properties are standardized based on the type of authentication used by the integration.
Figure 4: Integrations Configuration
If this property already exists, or is being edited, differently-styled stars will appear for the value. From this view it is not possible to see the value that is being typed.
Figure 5: Integrations Configuration Update
In the advanced view, it is possible to see the value being typed, although it will never be starred if it already exists. Instead, it will always display as an empty string. It will also appear with a different tooltip indicating it has an encrypted property.
Figure 6: Integrations Configuration Advanced View
Applications
While most Itential applications do not have any properties that are configurable, thereby leading to no sensitive properties, it is possible for custom applications to have properties configured in the propertiesDecorators.json to always be encrypted. These will appear the same way as adapters and integrations in the Admin Essentials user interface.
Profiles
If a profile has a property that needs to be automatically encrypted, such as the redisProps password, it will display as a starred out value to indicate it is an encrypted property.
Figure 7: Profile Property Masking
If this property already exists, or is being edited, differently-styled stars will appear for the value. The difference is subtle but is a visual indication between a pre-configured secret versus a field that hasn't yet been configured with a secret. Please note that from this view, it is not possible to see the value that is being typed.
Was this article helpful?
