Inventory Encryption

Itential Automation Gateway (IAG) can now utilize local Fernet encryption and HashiCorp Vault for inventory passwords.

Local Encryption

Fernet encryption uses a 128-bit key to protect a password from being manipulated or read.

To enable local encryption set the fernet_key value in the properties.yml file. You can use various methods to generate a Fernet key as outlined in the section below. Once enabled, passwords are encrypted by updating a current device or creating a new device. Existing passwords are not automatically encrypted.

The device types that support local encryption are GRPC, Netmiko, and NetConf.

Note: HTTP inventory encryption is currently not included.

Example Fernet Key

fernet_key: “F-YE4se483yUZ56S88J3g10dPhKjio8r35sT5xJ4NSc=”

Generating a Fernet Key

Various methods can be used to generate a Fernet key. You will need to generate your own Fernet key and keep it safe. If you lose your key, you will not be able to decrypt any passwords that have been encrypted. If someone gets access to the key, they will be able to decrypt those passwords.

Additional information on Fernet encryption is available on the cryptography.io site.

Hashicorp Vault Encryption

Passwords are overwritten when a Hashicorp Vault integration is present and the device has a vault_path variable set with a string value of “vault_path:vault_key”Specify Vault_Path in the device variables.

Example Device POST

{
  "name": "iosxr-cloud",
  "variables": {
    "host": "sandbox-iosxr-1.cisco.com",
    "password": "",
    "username": "admin",
    "insecure": true,
    "vault_path": "network:password",
    "port": 57777
  }
}

If the vault_path variable is defined, it will overwrite the current password field.

Note: Full Vault integration must be set up first. See the Hashicorp Vault integration guide.