🤔 Description
To ensure a higher level of credential security that may be required in specific industries, ACLI 11.0 introduces the Secure Properties functionality.
Secure Properties augments the acli.properties
file, mitigating any breach of security that could occur if the ACLI configuration files were to escape your system.
🌱 Solution
The Secure Properties in ACLI 11.0 provides a key-store-based credential storage solution using password based encryption (PBE). The specific key store format is the UBER format, provided by the excellent Bouncy Castle cryptography library for Java.
The Secure Properties key can store any value, while it prevents sensitive credentials from being stored as plain text on disk.
The use of Secure Properties is optional.
The ACLI Shell can also create Secure Properties entries as part of its guided site configuration functionality, which can be launched using the slash-command, /sites add
.
Working with Secure Properties
The Secure Properties adds a further security check by consulting the Secure Properties key store for the Secure Properties key variable. This check is only performed when the variable reference contains the prefix secret
.
To distinguish the Secure Properties key from all other variables, the Secure Property keys are prefixed with secret
.
You can define when the variable is looked up in the key store by setting the environment variable to ACLI_SECURE_PROPERTIES_SAFE_MODE=false
, the key store is always checked.
Using Secure Properties consists in three main steps:
Creating a key store
Referencing secrets in the acli.properties file
Unlocking the key store
Creating a key store
When you create the key store file (named .acli.keystore
), it can be found in your home directory.
Each ACLI user on a given system has their own such file. Note that on a multi-user system, each user is required to maintain their own ACLI installation.
The key store file path can be overridden to point to an alternative location through the use of the environment variable ACLI_SECURE_PROPERTIES
. This can be useful if you need to work with multiple key stores or multiple installations of ACLI.
When the Secure Properties is set, ACLI:
First prompts for the value of the secret to be stored.
Prompts for the new key store file password (with confirmation).
To create a key store, run the action setSecureProperty
, as shown in the example:
$ acli system setSecureProperty --name my.secret --secret - Enter secure value: <secret value prompt> Secure properties file does not yet exist. Creating... Enter new secure properties password: <new password prompt> Confirm secure properties password: <new password prompt> Remember your password, it cannot be recovered! Secure properties file created. Value for key 'foo' set in secure properties file.
The value for the --secret
parameter, provided in the example, is -
The value set to -
indicates that the value should be obtained via an interactive prompt (or read from stdin
if not connected to a tty).
We strongly recommend that you use this method to provide sensitive values to avoid they are not accidentally recorded in your shell history, where they would end up existing in plain text anyway!
The key store requires a non-blank password. Once created, do not forget the password!
Key store passwords cannot be recovered by ACLI support.
If your password is ever compromised, you should consider the contents of the key store to also be compromised and rotate any secrets it contains accordingly.
Referencing secrets in acli.properties
When in use, the key store file can be used to provide values to acli.properties
by way of substitution variables similar to the current method of referring to environment variables or other properties (i.e., using ${my.variable}
syntax).
The default syntax for referring to key store values is using a variation of that syntax of the form ${secret:my.secret}
(note the addition of the secret:
prefix).
Because the key store is password-protected, the secret:
prefix allows to only consult the key store for the Secure Properties key variables. To disable this requirement, set the environment variable ACLI_SECURE_PROPERTIES_SAFE_MODE=false
.
When disabled, the key store is consulted for variable names that are not found in the acli.properties
file or the environment, this may result in an interactive prompt requesting to supply a password!
Unlocking the key store
When the ACLI configuration refers to secure property values (i.e., using ${secret:...}
style variables in acli.properties
), each time that you run an ACLI command (including starting the ACLI Shell), you are prompted to unlock the key store.
Normally, this means that ACLI prompts you for your key store password before it continues (or reads it from stdin
when not connected to a tty).
You may also decide to short-circuit the prompting behavior by setting the environment variable ACLI_SECURE_PROPERTIES_PASSWORD
with your password as a value.
Setting your key store password as an environment variable may or may not be appropriate, depending on your risk tolerance. Doing so is a convenience that comes at a cost of reduced security.
Advantage:
If your key store file escapes your system, it is strongly encrypted.
Disadvantage:
Storing your key store password as an environment variable may make it easier to compromise your key store in a sophisticated attack.
Whether you decide this is an acceptable risk is entirely at your discretion, and depends on considerations on the threat modelling that you and your organisation use.
Use this method at your own risk.
Actions
Use ACLI actions, part of the ACLI system
client, to create, update, read, and delete key-value pairs stored in the Secure Properties key store.
To use a secure property in acli.properties
, follow the example as illustrated here:
my-jira = jiracloud -s https://myjira.atlassian.net -u me@example.com -t ${secret:my-jira.token}
The Actions and Examples table shows how you can work with the secure properties and provides examples.
Actions and Examples | |
---|---|
|
|
|
|
|
|
| Locating your Secure Properties key store Your key store is normally located in your home directory and is named Example: Display key store file path $ acli -a getClientInfo --outputFormat 2 Client information Client name . . . . . . . . . : cli Client version . . . . . . . : 11.0.0 ... Secure properties . . . . . . : File . . . . . . . . . . . : /Users/me/.acli.keystore |