Skip to content

Encrypting Secrets with apictl

WSO2 API Controller (apictl) allows you to encrypt plain-text secrets. You can use this feature to export secrets as environment variables, system properties, Docker secrets, or Kubernetes secrets.

apictl secret supports two encryption modes:

  • Symmetric encryption using an AES-256 encryption key. You must initialize the key first with apictl secret init symmetric.
  • Asymmetric encryption using a keystore initialized with apictl secret init.

Note

Use the same encryption mode and algorithm that the target runtime uses to decrypt secrets.

Choose the encryption mode

Mode When to use Initialization Supported cipher values
Symmetric When the target runtime is configured to use AES-based secret encryption. Requires apictl secret init symmetric. Defaults to AES/GCM/NoPadding. AES256 is also accepted as an alias.
Asymmetric When the target runtime uses RSA and a keystore for secret encryption. Requires apictl secret init. RSA/ECB/OAEPWithSHA1AndMGF1Padding or RSA/ECB/PKCS1Padding

Encrypt secrets with symmetric encryption

Symmetric encryption uses an AES-256 encryption key that must be initialized before creating secrets.

Note

Run apictl secret init symmetric before apictl secret create symmetric. apictl prompts for the symmetric key once, validates it, stores it in encryption-key/encryption_key.yaml, and uses AES/GCM/NoPadding as the default symmetric algorithm during secret creation.

Note

It is recommended to use a 64-character hexadecimal AES-256 key. For example:

openssl rand -hex 32

Run the following commands for symmetric encryption:

  • Initialization

    apictl secret init symmetric

  • Create encrypted secrets

    apictl secret create symmetric

    Info

    Flags:

    • Optional :
      --cipher or -c : Optional algorithm override for symmetric encryption. The default is AES/GCM/NoPadding. AES256 is also accepted as an alias
      --output or -o : Get the output in yaml (k8) or properties (file) format. By default the output is printed to the console
      --from-file or -f : Path to the properties file which contains secrets to be encrypted

    • Encrypt a secret and get output on console

      Example

      apictl secret create symmetric
Enter plain alias for secret: db_password
Enter plain text secret:
Repeat plain text secret:

    • Encrypt secrets defined in a properties file

      Example

      apictl secret create symmetric -f ./keys/secrets.properties

    • Encrypt secrets defined in a properties file and get a .properties file

      Example

      apictl secret create symmetric -o file -f ./keys/secrets.properties

    • Encrypt secrets defined in a properties file and get a .yaml file

      Example

      apictl secret create symmetric -o k8 -f ./keys/secrets.properties

  • Response

    The encrypted value is printed to the console by default. If -o file or -o k8 is used, apictl generates the output file in the security directory of the current working directory.

Encrypt secrets with asymmetric encryption

Asymmetric encryption uses the public key from a keystore. The initialized keystore details are stored in keystore/keystore_info.yaml. Before creating secrets, initialize apictl with the keystore used by the target runtime.

Initialize apictl with a keystore

Note

Secret encryption supports only JKS keystores for this flow.

Note

The keystore used in this step must be the same keystore that the target runtime uses to decrypt secrets.

Run the following command to initialize apictl with the keystore used to encrypt secrets. It prompts you to enter the following values:

Key Store location Path to the keystore used by the target runtime to decrypt secrets
Key Store password The password of the keystore
Key alias The alias of the key used to encrypt the secrets
Key password The password of the key used to encrypt the secrets

  • Command

    apictl secret init

    Example

    apictl secret init
Enter Key Store location: <APIM-HOME>/repository/resources/security/wso2carbon.jks
Enter Key Store password:
Enter Key alias: wso2carbon
Enter Key password:

  • Response

    Key Store initialization completed.

Create encrypted secrets with asymmetric encryption

Run the following command to encrypt secrets with the initialized keystore:

  • Command

    apictl secret create

    Info

    Flags:

    • Optional :
      --cipher or -c : Encryption algorithm. Use RSA/ECB/OAEPWithSHA1AndMGF1Padding or RSA/ECB/PKCS1Padding for asymmetric encryption
      --output or -o : Get the output in yaml (k8) or properties (file) format. By default the output is printed to the console
      --from-file or -f : Path to the properties file which contains secrets to be encrypted

    • Encrypt a secret and get output on console

      Example

      apictl secret create
Enter plain alias for secret: db_password
Enter plain text secret:
Repeat plain text secret:

    • Response

      db_password : <encrypted-secret>

    • Encrypt secrets defined in a properties file

      Example

      apictl secret create -f ./keys/secrets.properties

    • Encrypt secrets defined in a properties file and get a .yaml file

      Example

      apictl secret create -o k8 -f ./keys/secrets.properties