Skip to content

Secret management

Overview

Secret management is a critical aspect of securing sensitive data within the system. This document outlines the methods available for encrypting and decrypting secrets, as well as the configuration used internally.

Secret Configuration

The system uses a configuration-defined secret (p6.obfuscation.secret) for encryption and decryption.

By default, this secret uses the instance id, but it can be overridden in two ways:

  • using docker environment variables p6core_obfuscation_key
  • using the p6.obfuscation.secret property in the configuration file.

cf. documentation for more information on how to set up the configuration.

Warning

If the secret is changed, all previously encrypted secrets will become unreadable.

Tip

You can share the same secret across multiple instances to allow for cross-instance secret sharing (e.g. for a customer in staging and production).

Obfuscation

Encryption

  • The POST REST endpoint /apis/v2.1/info/obfuscate/encode provides encryption functionality.
  • Using P6Cmd CLI tool, the command p6cmd obfuscate can be used to encrypt secrets.

Note

The encrypted value will be prefixed by p6.obf: to indicate that it is an encrypted value.

Decryption

The DSL method p6.utils.deobfuscate is used for decrypting secrets. (cf. documentation)

Functional usage

Configuration service

The configuration services provides automatically a decryption of the secret using the DSL methods.

If an entry is stored using an encrypted value (starting with p6.obf:) then, the value is decrypted automatically when using:

  • p6.appconfig.get('key')
  • p6.appconfig.getAsJson('key')

Note

The values displayed in the configuration service UI are the encrypted values.

Table service

The table services could be used to store secrets. In that case, you’ll neeed to use the p6.utils.deobfuscate method to decrypt the secret.

Example

p6.table.lookup('Customers', [Name: 'FEE']).each { record ->
  def login = record['Login']
  def password = p6.utils.deobfuscate record['password']
}

Note

The values displayed in the table service UI are the encrypted values.