Manual Property Encryption

It is still possible to have specific keys encrypted in Vault using the $SECRET syntax. Although this practice is an available option, property encryption should be performed automatically wherever possible.

Adapters

To set encryption for Adapters:

1. Within Vault, create the path and key name for the item in question. HINT: Be sure to give it a path and key name that is easy to relate back to the targeted item.

2. Go to Admin Essentials, click the Adapters menu, and select an Adapter.

   Figure 1: Select Adapter

   

3. Within the adapter you selected, locate the value you would like to encrypt. Click the Advanced View toggle switch to see the JSON, which may be easier to edit.

   Figure 2: Advanced Configuration View

   

4. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" (Hint: there is a space before "$KEY") and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

   Figure 3: Edit Adapter

   

5. Click Save and the adapter will automatically restart using Vault to decrypt the changed property.

6. The adapter should appear in the list with a green status indicator and connection icons after restart.

   Figure 4: Adapter Connected

   

Integrations

To set encryption for Adapters:

1. Within Vault, create the path and key name for the item in question. HINT: Be sure to give it a path and key name that is easy to relate back to the targeted item.

2. Go to Admin Essentials, click the Integrations menu, and select an Integration. Within the Integration, locate the value you would like to encrypt.

   Figure 5: Select an Integration
   

3. Click the Advanced View toggle switch to see the JSON, which may be easier to edit.

4. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" (Hint: there is a space before "$KEY") and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

   Figure 6: Edit the Integration
   

5. Click the Save icon and the Integration will automatically restart using Vault to decrypt the changed property.

Profiles

To set encryption for Profiles within Admin Essentials:

1. Within Vault, create the path and key name for the item in question. HINT: Be sure to give it a path and key name that is easy to relate back to the targeted item.

2. Go to Admin Essentials, click Profiles on the left sidebar, and select the currently running profile.

3. Within the profile, click the Configure tab and then select one of the Profile Properties to encrypt.

   Figure 7: Edit Profile Properties

   

4. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" (Hint: there is a space before "$KEY") and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

5. Click Save to finalize the profile property changes.

6. Restart IAP for these changes to take effect.

Properties JSON

To set encryption for a property:

1. Within Vault, create the path and key name for the item in question. Hint: Be sure to give it a path and key name that is easy to relate back to the targeted item.

2. Open the properties.json and select a property to encrypt, such as "mongoProps.credentials.passwd".

   ---

    Note: It is not possible to encrypt any of the vaultProps within the properties.json.

   ---

3. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

4. Save the document.

5. Restart IAP for these changes to take effect.