🤔 Description
To ensure a higher level of credential security that may be required in specific industries, ACLI 11.0 introduces the Secure Properties functionality.
Secure Properties replaces the acli.properties file preventing any breach of security that could occur if the credentials in the n acli.properties were intercepted.
🌱 Solution
The Secure Properties in ACLI 11.0 provides a key-store-based credential storage solution using password based encryption (PBE). The specific key store format utilized is the Bouncy Castle provided UBER format.
The Secure Properties key can store any value, while it prevents sensitive credentials from being stored as plain text on disk.
| Info |
|---|
NOTE |
Creating a key store
A new key store is created when the action setSecureProperty is run for the first time. For example:
| Code Block | ||
|---|---|---|
| ||
$ acli system setSecureProperty --name my.secret --secret - Enter secure value: <secret value prompt> Secure properties file does not yet exist. Creating... Enter new secure properties password: <new password prompt> Confirm secure properties password: <new password prompt> Remember your password, it cannot be recovered! Secure properties file created. Value for key 'foo' set in secure properties file. |
The value for the --secret parameter in this example is provided as - which indicates that the value should be obtain via an interactive prompt (or read from stdin if not connected to a tty). We strongly recommend providing sensitive values this way so that they are not accidentally recorded in your shell history, where they would end up existing in plain text anyway!
Breaking this down, you can see that first ACLI will prompt for the value of the secret to be stored, and then it will prompt for the new key store file password (with confirmation).
| Note |
|---|
The key store requires a non-blank password. Once created, do not forget the password! Key store passwords cannot be recovered by ACLI support. If your password is ever compromised, you should consider the contents of the key store to also be compromised and rotate any secrets it contains accordingly. |
Once created, the key store file (named .acli.keystore) can be found in your home directory. Each ACLI user on a given system has their own such file (because of other ACLI limitations, it is still necessary on a multi-user system for each user to maintain their own ACLI installation). The key store file path can be overridden to point to an alternative location through the use of the environment variable ACLI_SECURE_PROPERTIES. This can be useful if you need to work with multiple key stores or multiple installations of ACLI, but typically should not be needed.
Referencing secrets in acli.properties
When in use, the key store file can be used to provide values to acli.propertiesby way of substitution variables similar to the current method of referring to environment variables or other properties (i.e., using ${my.variable} syntax). In ACLI 11.0.0, the default syntax for referring to key store values is with a variation of that syntax of the form ${secret:my.secret} (note the addition of the secret: prefix).
Because the key store is password-protected, we require the secret: prefix in order to consult the key store only when necessary. This requirement can be disabled by setting the environment variable ACLI_SECURE_PROPERTIES_SAFE_MODE=false. When disabled, the key store will be consulted for any variable names not found in acli.properties itself or the environment, but this may result in an interactive prompt to supply a password!
Unlocking the key store
Once your ACLI configuration refers to secure property values (i.e., using ${secret:...} style variables in acli.properties) then you will be prompted to unlock the key store each time you run an ACLI command (including starting the ACLI Shell).
Normally, this means that ACLI will prompt you interactively for your key store password before it continues (or read it from stdin when not connected to a tty). At your discretion, you may optionally short-circuit this prompting behavior by setting the environment variable ACLI_SECURE_PROPERTIES_PASSWORD with your password as a value.
| Note |
|---|
Setting your key store password as an environment variable may or may not be appropriate, depending on your risk tolerance. Doing so is a convenience, but one that comes at a cost of reduced security. You still have the advantage that if your key store file escapes your system it is strongly encrypted, but the storage of your key store password as an environment variable may make it easier to compromise your key store in a sophisticated attack. Whether you decide this is an acceptable risk is entirely at your discretion, and depends on the threat modeling under consideration by you and your organization. Use this method at your own risk. |
Actions
Use ACLI actions, part of the ACLI system client, to create, update, read, and delete key-value pairs stored in the Secure Properties key store.
To use a secure property in acli.properties, follow the example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
my-jira = jiracloud -s https://myjira.atlassian.net -u me@example.com -t ${secret:my-jira.token} |
The table shows how you can work with the secure properties and provides examples.
| |||||||||||||||||||||
| Code Block |
|---|
$ acli system -a setSecureProperty --name my-jira.token --secret Enter secure properties password: <password prompt> Value for key 'my-jira.token' set in secure properties file. |
clearSecureProperties
This action clears the entire secure properties key store file.
To ensure that a value is not accidentally removed, you are prompted for confirmation.
If you add the --force parameter, the secure property file is removed without confirmation.
To complete the action, you are prompted to insert the key store password.
If you have forgotten the password, you must manually delete the key store file in your home directory.
Example: Clear all secure properties
| Code Block | ||
|---|---|---|
| ||
$ acli system -a clearSecureProperties Enter secure properties password: <password prompt> Enter CONFIRM to permanently clear all secure properties (CANNOT be undone): CONFIRM Secure properties cleared. |
getSecureProperty
This action only retrieves a secure property from the key store.
To retrieve the property value, use:
--outputFormat 2.
Example: Get Secure Property
| Code Block | ||
|---|---|---|
| ||
$ acli system -a getSecureProperty --name my-jira.token Enter secure properties password: <password prompt> Secure property 'foo' exists in the secure properties file. |
Example: Get Secure Property with value
| Code Block | ||
|---|---|---|
| ||
$ acli system -a getSecureProperty --name foo --outputFormat 2 Enter secure properties password: <password prompt> Value of secure property 'my-jira.token': <your token value> |
importSecureProperties
This action allows you to import secure properties from another key store file to your default key store.
To do so, you need the password for both the source and destination key stores.
OPTIONS
Use the
--replaceparameter to avoid being asked to confirm overwriting properties during import.Use the
--includeand--excludeparameters to filter the properties being imported.
Note that each of the imported properties, take a regular expression value that is evaluated against the list of keys in the source key store.
This can be useful for sharing selected secure properties, just ensure to not store or transmit the password with the data!
Example: Import secure properties
| Code Block | ||
|---|---|---|
| ||
$ acli system -a importSecureProperties -f import.keystore Enter secure properties password: <destination password prompt> Enter inbound secure properties password: <source password prompt> Imported 0 secure properties. Ignored: buz,foo. Use --replace to overwrite existing values. |
Example: Import select secure properties (via inclusion) with overwrite
| Code Block | ||
|---|---|---|
| ||
$ acli system -a importSecureProperties -f import.keystore --include '(?i)^F' --replace Enter secure properties password: <destination password prompt> Enter inbound secure properties password: <source password prompt> Imported 1 secure property: foo. |
removeSecureProperty
This action removes a secure property from the key store.
To ensure that a value is not accidentally removed, you are prompted for confirmation.
If you add the --force parameter, the secure property is removed without confirmation.
If after this operation the key store is empty, it is automatically removed.
Example: Remove a secure property
| Code Block | ||
|---|---|---|
| ||
$ acli system -a removeSecureProperty --name my-jira.token Enter secure properties password: <password prompt> Enter CONFIRM to permanently remove the secure property 'my-jira.token': CONFIRM Removed value for key 'my-jira.token' from secure properties file. Deleted empty keystore file. |
exportSecureProperties
This action allows you to export secure properties from your default key store to another key store file.
To do so, you need the password for both the source and destination key stores.
OPTIONS
Use the
--replaceparameter to avoid being asked to confirm overwriting properties during export.Use the
--includeand--excludeparameters to filter the properties being exported.
Note that each of the exported properties, take a regular expression value that is evaluated against the list of keys in the source key store.
Example: Export select secure properties (via exclusion) with overwrite
| Code Block | ||
|---|---|---|
| ||
$ acli system -a exportSecureProperties -f export.keystore --exclude '(?i)^F' --replace Enter secure properties password: <source password prompt> Enter outbound secure properties password: <destination password prompt> Exported 1 secure property: buz. |
getSecurePropertyList
This action only returns all secure properties from the key store.
To retrieve the list of property value, use:
--outputFormat 2.
Example
Get secure property list with values
| Code Block | ||
|---|---|---|
| ||
$ acli system -a getSecurePropertyList --outputFormat 2 Enter secure properties password: 2 secure properties in list "Name","Value" "buz","qux" "foo","foo" |