Secrets Management and Sensitive Data Protection

Encryption

It is allowed to store property values and input test data in the encrypted form. VIVIDUS uses Jasypt (Java Simplified Encryption) which provides two-way encryption mechanism. While performing two-way encryption, apart from feeding plain-text it’s required to feed the secret text (i.e. password) and this secret text is used to decrypt the encrypted text. The default encryption algorithm is PBEWithMD5AndDES.

How to encrypt a string

Option 1 (Recommended): using Jasypt CLI

  1. Download the latest Jasypt release

  2. Unpack the downloaded zip-archive

  3. Go to bin folder

  4. Run the command performing encryption:

    Example 1. Windows:
    encrypt.bat input="This is my message to be encrypted" password=paSSw0rd
    Example 2. Linux/UNIX/macOS:
    ./encrypt.sh input="This is my message to be encrypted" password=paSSw0rd

    where

    • input - Any string to be encrypted.

    • password - Your encryption password.

      paSSw0rd is a sample password and should be never used, own strong password is required for the encryption.

  5. Find the encrypted data in OUTPUT section

    Example 3. Encryption command output
    ----ENVIRONMENT-----------------

Runtime: Eclipse Adoptium OpenJDK 64-Bit Server VM 21+35-LTS



----ARGUMENTS-------------------

input: This is my message to be encrypted
password: paSSw0rd



----OUTPUT----------------------

7TQwyzsmuGSQ1GlUlPZVcrzY8BovTHWn1OuVaJ2PTdvOd3md25Y8szfXoHAq94Pw
Find more details in Jasypt CLI Tools documentation

Option 2: using Jasypt Online

Use this tool at your own risk, since there is a chance of potential leakage of sensitive data

  1. Paste plain text string to encrypt to the corresponding text field.

  2. Set Type of Encryption to "Two Way Encryption (With Secret Text)".

  3. Enter secret key/text in the corresponding text field.

  4. Click "Encrypt".

  5. The resulting encrypted string can be copied from the corresponding field.

How to use an encrypted string

  1. Set the password in one of the following ways:

    1. Set via OS environment variable VIVIDUS_ENCRYPTOR_PASSWORD

    2. Pass the key with its password-value into a test run using command line:

      ./gradlew runStories -Pvividus.encryptor.password=paSSw0rd

    3. Add the password to the system project properties as the value of:

      system.vividus.encryptor.password=paSSw0rd

      The encryption password is sought in the sequence provided above: first the OS environment variable, then the password set via the command line, and finally the project system property. If the password is discovered at any point in this sequence, the search stops, and additional options are not considered.

      This password must be kept secret and must not be committed to version control system.
      paSSw0rd is a sample password and it should be never used, own strong password is required for the encryption.

  2. Use the encrypted value in the following ways:

    1. Use the case-sensitive wrapping ENC(…​) for any encrypted property value, e.g.:

      http.auth.password=ENC(7TQwyzsmuGSQ1GlUlPZVcrzY8BovTHWn1OuVaJ2PTdvOd3md25Y8szfXoHAq94Pw)

    2. Decrypt the value with help of decrypt expression and use the result in test scenario, e.g.:

      When I enter `#{decrypt(ENC(7TQwyzsmuGSQ1GlUlPZVcrzY8BovTHWn1OuVaJ2PTdvOd3md25Y8szfXoHAq94Pw))}` in field located by `id(password)`

Please see Externalized Configuration section to get more information on how encryptor password can be passed to the tests.

Secrets Management Tools

HashiCorp’s Vault

Configuration

Firstly, it is required to configure Vault endpoint and authentication method.

The properties marked with bold are mandatory.
Property Description Example

vault.uri

Vault enpoint

http://127.0.0.1:8200

vault.token

Token authentication requires a static token to be provided.

Token authentication is just one of several authentication methods that are supported.

dev-only-token

vault.namespace

Vault Enterprise allows using namespaces to isolate multiple Vaults on a single Vault server. This feature is not supported by Vault Community edition and has no effect on Vault operations.

ns1/ns2

How to refer Vault secrets

  1. Find the required secrets in Vault.

    Secrets in Vault

  2. Build full paths to the secrets. For the secrets listed above, the paths would be secret/vividus/test/username and secret/vividus/test/password.

  3. Put the built paths to properties using the case-sensitive wrapping VAULT(…​)

    db.connection.test.username=VAULT(secret/vividus/test/username)
db.connection.test.password=VAULT(secret/vividus/test/password)