Itential Automation Gateway

Configure IAG secret store

Itential Automation Gateway (IAG) enables you to store encrypted secret information within its backend data store. IAG leverages asymmetrical encryption with zero trust of the server. IAG encrypts secrets with an encryption file that you must create and use for encryption and decryption.

You can use secrets in the following scenarios:

Encryption in IAG

IAG encrypts data using AES (Advanced Encryption Standard) in GCM (Galois/Counter Mode). The system generates the AES key using PBKDF2 from a provided encryption file and a random salt. This approach makes each stored secret distinct, even if secrets use the same encryption file. The system stores the salt and encrypted data as a base64 encoded string.

Configure IAG secret store

1

Create an encryption key

You need to create an encryption key before you can encrypt and decrypt secrets. If you run IAG in a cluster, all instances in that cluster need access to the same encryption key.

Generate an encryption key using the openssl package:

$openssl rand -base64 256 > /etc/gateway/gateway_secrets_encryption.key

Verify key creation:

$cat /etc/gateway/gateway_secrets_encryption.key
$UM/mOfv5iQqF6Cp1u8k+0MFVTq44NIPQii1wkTgacS1GnOGiI4iBMFeFJSJQT80A
$Lso1VmL0wr3MqG9wgvov32y5Oddjay9j5RqMIbQpJuJDJtrodzWi+6B+yo0NBoHz
$sgfLr6oL16oFrwSRq+ZSELJLr/aL9V9fdMluHYCGOHJrQtxojoQX41kF7OS6dSNk
$BbCRKKJrpJtOmZY1nz7CLcGWxA80PDdjGwozdN/vwxo84Ohpl6/R7pDVZOIXfbyh
$xMibYbvLM01A2/eJ72PU4zfiWRdiovnmLlsifMnDwobs0WHY5lAgGpdENs6v577e
$YK2U8HlKOWczjPsXjK7RBA==

(Optional) Set the encryption key file to owner-read-only to prevent unauthorized access:

$chmod 400 /etc/gateway/gateway_secrets_encryption.key

Keep this key secure. If you lose the key, you cannot recover any data encrypted with it.

2

Configure IAG to use encryption key

After you generate the key, tell IAG the location of your encryption key. You can configure the key location using either a gateway.conf file or an environment variable.

gateway.conf file

1[secrets]
2encrypt_key_file = "/etc/gateway/gateway_secrets_encryption.key"

Environment variable

$export GATEWAY_SECRETS_ENCRYPT_KEY_FILE="/etc/gateway/gateway_secrets_encryption.key"
If you use a distributed IAG cluster, you need to use the same key on all nodes to encrypt and decrypt information.
3

Create your first secret

Once your encryption key is set, you can create a secret:

$iagctl create secret my-secret --prompt-value

View that the secret exists in the store:

$iagctl get secrets
$NAME
$my-secret

View the contents of the secret using the describe command:

$iagctl describe secret my-secret

To securely output the decrypted data, the system saves the secret in a temporary location and displays it in your default editor. If you don’t set an editor, IAG defaults to vim. The editor is determined by your $EDITOR environment variable. To set a different $EDITOR:

$export EDITOR=nano

When you close your editor, the system deletes the file that displayed your secret’s contents.

You’ve now created a secret within IAG’s data store. Keep your encryption key file secure.