...
Because the key store is password-protected, we require the secret: prefix in order to consult the key store only when necessary. This requirement can be disabled by setting the environment variable ACLI_SECURE_PROPERTIES_SAFE_MODE=false. When disabled, the key store will be consulted for any variable names not found in acli.properties itself or the environment, but this may result in an interactive prompt to supply a password!
Unlocking the key store
When a secret variable needs to be resolved during configuration loading, they key store must be unlocked to proceed. Once your ACLI configuration refers to secure property values (i.e., using ${secret:...} style variables in acli.properties) then you will be prompted to unlock the key store each time you run an ACLI command (including starting the ACLI Shell).
Normally, this means that ACLI will prompt you interactively for your key store password before it continues (or read it from stdin when not connected to a tty). At your discretion, you may optionally short-circuit this prompting behavior by setting the environment variable ACLI_SECURE_PROPERTIES_PASSWORD with your password as a variablevalue.
| Note |
|---|
Setting your key store password as an environment variable may or may not be appropriate, depending on your risk tolerance. Doing so is a convenience, but one that comes at a cost of reduced security. You still have the advantage that if your key store file escapes your system it is strongly encrypted, but the storage of your key store password as an environment variable may make it easier to compromise your key store in a sophisticated attack. Whether you decide this is an acceptable risk is entirely at your discretion, and depends on the threat modeling under consideration by you and your organization. Use this method at your own risk. |
...