Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The API Builder configuration is stored on disk at rest. For example, connectors may store their username and passwords in the clear on disk. If the API Builder configuration contains sensitive information, storing the configuration on disk may cause a security concern. There are two relatively easy configuration options to avoid or mitigate the security concern:

...

  1. Generate the encrypted value. The following example is a simple CLI that will AES encrypt a value passed in on the CLI:

    Code Block
    const crypto = require('crypto');
    const algorithm = 'aes256';
    const key = process.env.KEY || 'getKeyFromSomewhere';
    const cipherEncoding = 'hex';
    const textEncoding = 'utf-8';
    function encrypt(clearText) {
        const cipher = crypto.createCipher(algorithm, key)
        let cipherText = cipher.update(clearText, textEncoding, cipherEncoding)
        cipherText += cipher.final(cipherEncoding);
        return cipherText;
    }
    function decrypt(cipherText){
        const decipher = crypto.createDecipher(algorithm, key)
        let clearText = decipher.update(cipherText, cipherEncoding, textEncoding)
        clearText += decipher.final(textEncoding);
        return clearText;
    }
    const text = process.argv[2]
    const cipherText = encrypt(text)
    console.log(`CIPHERTEXT: ${cipherText}`);
    console.log(`CLEARTEXT:  ${decrypt(cipherText)}`);

    Encryption key:

    Code Block
    $ node ./crypt Hello
    CIPHERTEXT: 6b05e3830ba6638b0790a55cde19cdd7
    CLEARTEXT:  Hello
  2. Place the encrypted value in the API Builder configuration. For this to work, API Builder must be able to decrypt the encrpyted encrypted value. The decrypt function could be placed in a utility and used across multiple config files:

    Code Block
    const crypto = require('crypto');
    const algorithm = 'aes256';
    const key = process.env.KEY;
    function decrypt(cipherText){
            const decipher = crypto.createDecipher(algorithm, key)
            let clearText = decipher.update(cipherText, 'hex', 'utf-8')
            clearText += decipher.final('utf-8');
            return clearText;
    }
    module.exports = {
        "helloworld": {
            "salutation": decrypt('6b05e3830ba6638b0790a55cde19cdd7')
        }
    };
  3. Set the environment variable in the cloud using the encrpytion encryption key:

    Code Block
    appc cloud config --set "KEY=mySecretKey"

Now, when the application is published, API Builder will be able to decrypt the encrpypted encrypted value.