Runbook Automation Config Property Encryption
Runbook Automation Config Property Encryption
Available in PagerDuty Runbook Automation Commercial products.
All Runbook Automation bundles come with a feature that allows you to encrypt the values in the rundeck-config.properties file.
Approach
To use encrypted properties in Runbook Automation you will have a master password that will be used to encrypt and decrypt the other passwords you wish to use in the rundeck-config.properties file.
For instance you might want to encrypt the bind password to your LDAP server. Let's say your LDAP bind password is binder123
. You will need a master password to encrypt this value. We will use 1PwdToBindThem$
for the master password.
Encrypting Property values
Runbook Automation has a feature to allow you to generate encrypted passwords using the Jasypt encryption library. The following instructions show how to encrypt a password with this utility from the command line.
cd into the directory where your rundeck.war is located run:
java -jar rundeck.war --encryptpwd Jasypt
You will receive prompts for information that look like the following:
Required values are marked with: *
Encrypter Config (The base property name used in RD_ENCRYPTION_ or rd.encryption. ('default' is the default value)):
*Master Password (Master password used to encrypt the value):
1PwdToBindThem$ (this won't be displayed)
*Verify Master Password (Verify master password):
*Value To Encrypt (The text you want to encrypt):
binder123 (this won't be displayed)
*Verify Value To Encrypt (Verify the text you want to encrypt):
==ENCRYPTED OUTPUT==
encrypted: bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5
You will take the encrypted:
value from the ENCRYPTED OUTPUT section which will have a value that looks like: bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5
(note that it will not be this value) and use it in your rundeck-config.properties file like this: rundeck.security.ldap.bindPassword=ENC(bbnJmDtx82/NOeUc9ahULGVAH+RdSLG5)
Decrypting rundeck-config.properties
To decrypt the encrypted properties in your rundeck-config.properties file you will need to set the java attribute -Drd.encryption.default.password
with the value of your master password before starting Rundeck.
In our example we would add it to the java variable in /etc/sysconfig/rundeckd
for RPM install or in /etc/default/rundeckd
for DEB install :
RDECK_JVM_SETTINGS=-Drd.encryption.default.password=1PwdToBindThem$
Then we would start our Runbook Automation installation. After the application has completed the bootstrap process and is responding to requests, the environment variable can be unset for security purposes.
Advanced Usage
If you wish to customize the algorithm, provider, or keyObtentions the Jasypt encryptor will use to encrypt the password, you can do this by passing those values as system properties when you launch the encryption utility.
For example, if you wish to use the PBEWITHSHA256AND256BITAES-CBC-BC
algorithm to encrypt your password, you could do it like this:
> java -jar -Drd.encryption.STRONG.algorithm=PBEWITHSHA256AND256BITAES-CBC-BC rundeckpro-cluster-3.0.0-SNAPSHOT.war --encryptpwd Jasypt
Required values are marked with: *
Encrypter Config (The base property name used in RD_ENCRYPTION_ or rd.encryption. ('default' is the default value)):
STRONG
*Master Password (Master password used to encrypt the value):
1PwdToBindThem$ (this won't be displayed)
*Verify Master Password (Verify master password):
*Value To Encrypt (The text you want to encrypt):
binder123 (this won't be displayed)
*Verify Value To Encrypt (Verify the text you want to encrypt):
==ENCRYPTED OUTPUT==
encrypted: i67e4g3jAUML0KCh+KwmnqX9lCflThMuu6CXm++VSqU=
Notice we are setting an rd.encryption config with the name STRONG. Then when prompted for the Encrypter Config
by the tool we type in the value STRONG
. This sets the encryptor to use the algorithm passed by rd.encryption.STRONG.algorithm
instead of the default configuration which uses a different algorithm.
To use your custom encrypted password when you start Rundeck, it is very important to ensure that the same system properties you used at encrypt time are set at launch time. Otherwise Rundeck will use the default decryptor settings which will not match your customized settings, and startup will fail.
To start Rundeck with the settings in our example, the startup string would be something like:
java -jar -Drd.encryption.STRONG.algorithm=PBEWITHSHA256AND256BITAES-CBC-BC -Drundeck.encrypter.config.name=STRONG rundeckpro-cluster-3.0.0-SNAPSHOT.war
If you would rather use environment variables to set the encryption settings you can use: RUNDECK_PROP_DECRYPTER_CONFIG
to set the config to use and config settings can be supplied like: RD_ENCRYPTION_{your config name}_ALGORITHM
For the example above, these would be: export RUNDECK_PROP_DECRYPTER_CONFIG=STRONG
export RD_ENCRYPTION_STRONG_ALGORITHM=PBEWITHSHA256AND256BITAES-CBC-BC