Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Secure Properties in ACLI 11.0 provides a key-store-based credential storage solution using password based encryption (PBE). The specific key store format utilized is the UBER format, provided by the excellent Bouncy Castle cryptography library for Java.

...

The ACLI Shell can also create Secure Properties entries as part of its guided site configuration functionality, which can be launched using the slash-command, /sites add.

Creating a key store

A new key store is created when Running the action setSecureProperty is run for the first time . For creates a key store, as shown in the example:

Code Block
languagenone
$ acli system setSecureProperty --name my.secret --secret -
Enter secure value: <secret value prompt>
Secure properties file does not yet exist. Creating...
Enter new secure properties password: <new password prompt>
Confirm secure properties password: <new password prompt>
Remember your password, it cannot be recovered!
Secure properties file created.
Value for key 'foo' set in secure properties file.

The value for the --secret parameter, provided in this the example, is provided as - which This indicates that the value should be obtain obtained via an interactive prompt (or read from stdin if not connected to a tty).

We strongly recommend providing that you use this method to provide sensitive values this way so that to avoid they are not accidentally recorded in your shell history, where they would end up existing in plain text anyway!

Breaking this down, you can see that first ACLI will prompt The sequence in ACLI is:

  • First ACLI prompts for the value of the secret to be stored

...

  • .

  • ACLI prompts for the new key store file password (with confirmation).

Note

The key store requires a non-blank password. Once created, do not forget the password!

Key store passwords cannot be recovered by ACLI support.

If your password is ever compromised, you should consider the contents of the key store to also be compromised and rotate any secrets it contains accordingly.

Once created, the key store file (named .acli.keystore) can be found in your home directory.

Each ACLI user on a given system has their own such file (because of other ACLI limitations, it is still necessary . Note that on a multi-user system for , each user is required to maintain their own ACLI installation).

The key store file path can be overridden to point to an alternative location through the use of the environment variable ACLI_SECURE_PROPERTIES. This can be useful if you need to work with multiple key stores or multiple installations of ACLI, but typically should not be needed.

...

When in use, the key store file can be used to provide values to acli.propertiesby way of substitution variables similar to the current method of referring to environment variables or other properties (i.e., using ${my.variable} syntax).

In ACLI 11.0.0, the default syntax for referring to key store values is with a variation of that syntax of the form ${secret:my.secret} (note the addition of the secret: prefix).

Because the key store is password-protected, we require the secret: prefix in order to consult the key store only when necessary. This requirement can be disabled by setting the environment variable ACLI_SECURE_PROPERTIES_SAFE_MODE=false. When disabled, the key store will be is consulted for any variable names that are not found in the acli.properties itself file or the environment, but this may result in an interactive prompt to supply a password!

Unlocking the key store

Once your When the ACLI configuration refers to secure property values (i.e., using ${secret:...} style variables in acli.properties) then you will be prompted to unlock the key store , each time that you run an ACLI command (including starting the ACLI Shell), you are prompted to unlock the key store.

Normally, this means that ACLI will prompt prompts you interactively for your key store password before it continues (or read reads it from stdin when not connected to a tty). At your discretion, you may optionally

You may also decide to short-circuit this the prompting behavior by setting the environment variable ACLI_SECURE_PROPERTIES_PASSWORD with your password as a value.

Note

Setting your key store password as an environment variable may or may not be appropriate, depending on your risk tolerance. Doing so is a convenience , but one that comes at a cost of reduced security. You still have the advantage that if

Advantage:
If your key store file escapes your system, it is strongly encrypted, but the storage of .

Disadvantage:
Storing your key store password as an environment variable may make it easier to compromise your key store in a sophisticated attack.

Whether you decide this is an acceptable risk is entirely at your discretion, and depends on considerations on the threat modeling under consideration by modelling that you and your organizationorganisation use.

Use this method at your own risk.

...