Itential Automation Gateway (IAG) allows you to store encrypted secret information within its backend data store. IAG leverages asymmetrical encryption with zero trust of the server. IAG encrypts secrets with an encryption file that you must create and use for encryption and decryption.
You can use secrets in the following scenarios:
- Store SSH keys for use during Git clone on service execution
- Inject secret data into services
- Authenticate with PyPi or Ansible Galaxy registries
Encryption with IAG
IAG encrypts data using AES (Advanced Encryption Standard) in GCM (Galois/Counter Mode). The system generates the AES key using PBKDF2 from a provided encryption file and a random salt. This approach makes each stored secret distinct, even if secrets use the same encryption file. The system stores the salt and encrypted data as a base64 encoded string.
Create an encryption key
You need to create an encryption key before you can encrypt and decrypt secrets. If you run IAG in a cluster, all instances in that cluster need access to the same encryption key.
Generate an encryption key using the openssl package:
openssl rand -base64 256 > /etc/gateway/gateway_secrets_encryption.key
You can inspect the key:
cat /etc/gateway/gateway_secrets_encryption.key
UM/mOfv5iQqF6Cp1u8k+0MFVTq44NIPQii1wkTgacS1GnOGiI4iBMFeFJSJQT80A
Lso1VmL0wr3MqG9wgvov32y5Oddjay9j5RqMIbQpJuJDJtrodzWi+6B+yo0NBoHz
sgfLr6oL16oFrwSRq+ZSELJLr/aL9V9fdMluHYCGOHJrQtxojoQX41kF7OS6dSNk
BbCRKKJrpJtOmZY1nz7CLcGWxA80PDdjGwozdN/vwxo84Ohpl6/R7pDVZOIXfbyh
xMibYbvLM01A2/eJ72PU4zfiWRdiovnmLlsifMnDwobs0WHY5lAgGpdENs6v577e
YK2U8HlKOWczjPsXjK7RBA==
To ensure security, run:
chmod 400 /etc/gateway/gateway_secrets_encryption.key
Important
Keep this key secure. If you lose the key, you cannot recover any data encrypted with it.
Configure IAG to use the encryption key
After you generate the key, tell IAG the location of your encryption key. You can configure the key location using either a gateway.conf file or an environment variable.
gateway.conf file
[secrets]
encrypt_key_file = "/etc/gateway/gateway_secrets_encryption.key"
Environment variable
export GATEWAY_SECRETS_ENCRYPT_KEY_FILE="/etc/gateway/gateway_secrets_encryption.key"
Create your first secret
Once your encryption key is set, you can create a secret:
iagctl create secret my-secret --prompt-value
View that the secret exists in the store:
iagctl get secrets
NAME
my-secret
View the contents of the secret using the describe command:
iagctl describe secret my-secret
To securely output the decrypted data, the system saves the secret in a temporary location and displays it in your default editor. If you don't set an editor, IAG defaults to vim. The editor is determined by your $EDITOR environment variable. To set a different $EDITOR:
export EDITOR=nano
When you close your editor, the system deletes the file that displayed your secret's contents.
You've now created a secret within IAG's data store. Keep your encryption key file secure. If you use a distributed IAG cluster, you need to use the same key on all nodes to encrypt and decrypt information.