For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationRelease notes
DocumentationRelease notes
  • Itential Automation Gateway
    • Overview
    • Related terminology
    • Navigate UI
      • Inventory integration variables
      • Create and manage devices
      • Remove a device
      • Manage inventory via API
      • Inventory sources
      • Interactive devices
      • Inventory encryption
      • Device broker support
      • Interactive devices 2023.2
    • Automatic discovery in IAG
    • Use hidden keyword extension
    • Edit the description field
    • Edit JSON schema
    • Manage decorations
    • View audit logs
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • Local encryption
  • Example Fernet key
  • Generating a Fernet key
  • HashiCorp Vault encryption
  • Example device POST
Itential Automation GatewayInventory devices

Inventory encryption

Was this page helpful?
Previous

Device broker support

Next
Built with

Itential Automation Gateway (IAG) supports local Fernet encryption and HashiCorp Vault for inventory passwords.

Local encryption

Fernet encryption uses a 128-bit key to protect a password from being manipulated or read.

To enable local encryption, set the fernet_key value in the properties.yml file. You can use various methods to generate a Fernet key as outlined in the section below. Once enabled, passwords are encrypted by updating a current device or creating a new device. Existing passwords are not automatically encrypted.

The device types that support local encryption are GRPC, Netmiko, and NetConf.

HTTP inventory encryption is currently not included.

Example Fernet key

1fernet_key: "F-YE4se483yUZ56S88J3g10dPhKjio8r35sT5xJ4NSc="

Generating a Fernet key

Various methods can be used to generate a Fernet key. You will need to generate your own Fernet key and keep it safe. If you lose your key, you will not be able to decrypt any passwords that have been encrypted. If someone gets access to the key, they will be able to decrypt those passwords.

Additional information on Fernet encryption is available on the cryptography.io site.

HashiCorp Vault encryption

Passwords are overwritten when a HashiCorp Vault integration is present and the device has a vault_path variable set with a string value of "vault_path:vault_key" in the device variables.

Example device POST

1{
2  "name": "iosxr-cloud",
3  "variables": {
4    "host": "sandbox-iosxr-1.cisco.com",
5    "password": "",
6    "username": "admin",
7    "insecure": true,
8    "vault_path": "network:password",
9    "port": 57777
10  }
11}

If the vault_path variable is defined, it will overwrite the current password field.

Full Vault integration must be set up first. See the HashiCorp Vault integration guide.