Secrets management

Externalised secrets

Introduction

Configuration supports externalisation of secrets (i.e. passwords) eliminating the need for clear-text secrets in configuration files.

Secrets are available using the standard mechanism of property expansion using the scope secrets:

"${secrets.<impl-specific-name>}"

By default secrets management is not enabled.

Configuration

Since secrets management is a part the configuration subsystem it must be configured separately. To allow maximum flexibility, configuration is done using environment variables which can be set in the application start script, injected by container management systems or configured on the application user account, depending on how the system is set up.

Different implementations requires different configuration. Which implementation to use is specified using the following environment variable:

# Default (noop)
FORTIFIED_SECRETS_IMPL=default

# Use build in 'local' impl
FORTIFIED_SECRETS_IMPL=local

# Use custom impl
FORTIFIED_SECRETS_IMPL=fully.qualified.class.Name

Implementations

Local

The built in local secrets management implementation provides decryption of secrets stored in configuration.

Secrets must be encrypted, base64 encoded and added to configuration manually, no automatic encryption is done since configuration is read-only.

Only AES encryption (key size 128/256) is supported.

An encrypted property has the following format (where "yR3v4....wgkR0=" is the base64 encoded encrypted value):

"${secrets.yR3v4eyaB/L4lTtI1PgPetsuJmafmgBuSYjU904aXMwgkR0=}"

To enable this implementation, set the following environment variable(s):

# Enable built in 'local' impl 
FORTIFIED_SECRETS_IMPL=local

# AES secret
FORTIFIED_SECRETS_SECRET=my-secret

# AES keysize (optional, defaults to 128)
FORTIFIED_SECRETS_KEY_SIZE=256

For more information on how to encrypt secrets for use with implementation, see: https://docs.fortifiedid.se/use-cases/misc/encrypt-configuration-secrets

OpenSSL

To decrypt secret encrypted with OpenSSL use the following configuration:

# Enable OpenSSL impl
FORTIFIED_SECRETS_IMPL=fortified.platform.config.secrets.OpenSSLSecretsScope

# AES secret
FORTIFIED_SECRETS_SECRET=my-secret

In the current version only aes-256-cbc cipher with sha256 digest is supported.

Custom

It is possible to supply custom secrets management implementations.

Custom implementations are enabled by supplying the fully qualified class name of the implementation.

# Use custom impl
FORTIFIED_SECRETS_IMPL=fully.qualified.class.Name

A custom implementation must implement the following interface available in platform-config-<version>.jar.

package fortified.platform.config.secrets;

public interface SecretsResolver {
    String resolve(String key);
}

The custom implementation class and all of its dependencies must also be available on the application class path.

Setting environment variables using power shell

To set variables on Windows using power shell in terminal execute:

[Environment]::SetEnvironmentVariable('FORTIFIED_SECRETS_IMPL', 'local', [EnvironmentVariableTarget]::Machine)
[Environment]::SetEnvironmentVariable('FORTIFIED_SECRETS_SECRET', 'Fortified', [EnvironmentVariableTarget]::Machine)

# AES keysize (optional, defaults to 128)
[Environment]::SetEnvironmentVariable('FORTIFIED_SECRETS_KEY_SIZE', '256', [EnvironmentVariableTarget]::Machine)

This will set required variables "machine-wide".

PreviousFile inclusion NextExamples