Itential Automation Gateway (IAG) enables you to store encrypted secret information within its backend data store. IAG leverages asymmetrical encryption with zero trust of the server. IAG encrypts secrets with an encryption file that you must create and use for encryption and decryption.
You can use secrets in the following scenarios:
IAG encrypts data using AES (Advanced Encryption Standard) in GCM (Galois/Counter Mode). The system generates the AES key using PBKDF2 from a provided encryption file and a random salt. This approach makes each stored secret distinct, even if secrets use the same encryption file. The system stores the salt and encrypted data as a base64 encoded string.
You need to create an encryption key before you can encrypt and decrypt secrets. If you run IAG in a cluster, all instances in that cluster need access to the same encryption key.
Generate an encryption key using the openssl package:
Verify key creation:
(Optional) Set the encryption key file to owner-read-only to prevent unauthorized access:
Keep this key secure. If you lose the key, you cannot recover any data encrypted with it.
After you generate the key, tell IAG the location of your encryption key. You can configure the key location using either a gateway.conf file or an environment variable.
gateway.conf file
Environment variable
Once your encryption key is set, you can create a secret:
View that the secret exists in the store:
View the contents of the secret using the describe command:
To securely output the decrypted data, the system saves the secret in a temporary location and displays it in your default editor. If you don’t set an editor, IAG defaults to vim. The editor is determined by your $EDITOR environment variable. To set a different $EDITOR:
When you close your editor, the system deletes the file that displayed your secret’s contents.
You’ve now created a secret within IAG’s data store. Keep your encryption key file secure.