Encrypting Secrets with apictl¶
WSO2 API Controller (apictl) allows you to encrypt a plain-text secret. You can use this feature to export secrets as environment variables, system properties, Docker secrets, or Kubernetes secrets. For more information on using dynamic secrets refer Dynamic secrets.
Initialize apictl with a key store¶
Note
Secret encryption supports only JKS Key Stores.
Note
Key Store used in this step needs to be the same Key Store which is used by the WSO2 API Manager (WSO2 API-M) or WSO2 Micro Integrator (WSO2 MI) to decrypt secrets.
Run the following command to initialize the apictl with the Key Store used to encrypt the secrets. It will prompt you to input the following,
Key Store location | Path to the Key Store used by the WSO2 API-M or WSO2 MI to decrypt secrets |
Key Store password | The password of the Key Store |
Key alias | The alias of the key used to encrypt the secrets |
Key password | The password of the key used to encrypt the secrets |
-
Command
-
Response
Encrypt secrets¶
Note
Secret encryption supports only RSA/ECB/OAEPWithSHA1AndMGF1Padding (default) or RSA/ECB/PKCS1Padding as encryption algorithm.
Note
Encrypting algorithm used in this step needs to be the same algorithm used by the WSO2 API-M or WSO2 MI to decrypt secrets.
Run the following command to encrypt secrets with the apictl,
-
Command
Info
Flags:
- Optional :
--cipher
or-c
: Encryption algorithm (default is RSA/ECB/OAEPWithSHA1AndMGF1Padding)
--output
or-o
: Get the output in yaml (k8) or properties (file) format. By default the output is printed to the console
--from-file
or-f
: Path to the properties file which contains secrets to be encrypted
-
Encrypt a secret and get output on console
-
Response
-
Encrypt secrets defined in a properties file
-
Response
-
Encrypt secrets defined in a properties file and get a .yaml file
-
Response
- Optional :