Secrets Management and Sensitive Data Protection
Encryption
It is allowed to store values of the properties in the encrypted form.
VIVIDUS uses Jasypt (Java Simplified Encryption) which provides two-way
encryption mechanism. While performing two-way encryption, apart from feeding
plain-text it’s required to feed the secret text (i.e. password) and this secret
text is used to decrypt the encrypted text. The default encryption algorithm is
PBEWithMD5AndDES
.
How to encrypt a string
Option 1 (Recommended): using Jasypt CLI
-
Download the latest Jasypt release
-
Unpack the downloaded zip-archive
-
Go to
bin
folder -
Run the command performing encryption:
Example 1. Windows:encrypt.bat input="This is my message to be encrypted" password=paSSw0rd
Example 2. Linux/UNIX/macOS:./encrypt.sh input="This is my message to be encrypted" password=paSSw0rd
where
-
input
- Any string to be encrypted. -
password
- Your encryption password.paSSw0rd
is a sample password and should be never used, own strong password is required for the encryption.
-
-
Find the encrypted data in
OUTPUT
sectionExample 3. Encryption command output----ENVIRONMENT----------------- Runtime: Eclipse Adoptium OpenJDK 64-Bit Server VM 17+35 ----ARGUMENTS------------------- input: This is my message to be encrypted password: paSSw0rd ----OUTPUT---------------------- 7TQwyzsmuGSQ1GlUlPZVcrzY8BovTHWn1OuVaJ2PTdvOd3md25Y8szfXoHAq94Pw
Find more details in Jasypt CLI Tools documentation |
Option 2: using Jasypt Online
Use this tool at your own risk, since there is a chance of potential leakage of sensitive data |
-
Paste plain text string to encrypt to the corresponding text field.
-
Set Type of Encryption to "Two Way Encryption (With Secret Text)".
-
Enter secret key/text in the corresponding text field.
-
Click "Encrypt".
-
The resulting encrypted string can be copied from the corresponding field.
How to use an encrypted string
-
Set the password in one of the following ways:
-
Set via OS environment variable
VIVIDUS_ENCRYPTOR_PASSWORD
-
Pass the key with its password-value into a test run using command line:
./gradlew runStories -Pvividus.encryptor.password=paSSw0rd
-
Add the password to the system project properties as the value of:
system.vividus.encryptor.password=paSSw0rd
The encryption password is sought in the sequence provided above: first the OS environment variable, then the password set via the command line, and finally the project system property. If the password is discovered at any point in this sequence, the search stops, and additional options are not considered.
This password must be kept secret and must not be committed to version control system. paSSw0rd
is a sample password and it should be never used, own strong password is required for the encryption.
-
-
Use the case-sensitive wrapping
ENC(…)
for any encrypted property value. e.g.http.auth.password=ENC(7TQwyzsmuGSQ1GlUlPZVcrzY8BovTHWn1OuVaJ2PTdvOd3md25Y8szfXoHAq94Pw)
Please see Externalized Configuration section to get more information on how encryptor password can be passed to the tests.
Secrets Management Tools
HashiCorp’s Vault
Configuration
Firstly, it is required to configure Vault endpoint and authentication method.
The properties marked with bold are mandatory. |
Property | Description | Example | ||
---|---|---|---|---|
|
Vault enpoint |
|||
|
Token authentication requires a static token to be provided.
|
|
||
|
Vault Enterprise allows using namespaces to isolate multiple Vaults on a single Vault server. This feature is not supported by Vault Community edition and has no effect on Vault operations. |
|
How to refer Vault secrets
-
Find the required secrets in Vault.
-
Build full paths to the secrets. For the secrets listed above, the paths would be
secret/vividus/test/username
andsecret/vividus/test/password
. -
Put the built paths to properties using the case-sensitive wrapping
VAULT(…)
db.connection.test.username=VAULT(secret/vividus/test/username) db.connection.test.password=VAULT(secret/vividus/test/password)