Hi am trying to create a chef server copying all files from an existing chef server. So when copied everything and ran a recipe it's getting error as data bag is encrypted.
So, I downloaded keytab from an encrypted data bag on old chef server.
Knife vault download keys sri_keytab sri.keytab
Now I want to upload the data bag to my new chef server. I heard it's only possible in the case when we decrypt a data bag using vault and the keytab downloaded and then upload it as an encrypted one.
But I don't know how
So could anyone help me please......
You can do the following:
Decrypt a data bag from the old server
create a json file with the decrypted data
create a vault from the new json file to the new server
you can use this as reference chef-vault
Related
So currently I have images stored in gcp storage.
When I fetch an image, I receive a File object with several parameters. Being one of them mediaLink with a format like https://storage.googleapis.com/download/storage/{path}%{image_name}?generation={value}&alt=media
The problem is that this url is only accessasble with permission, I want to be able to save the image as a JPEG so I can later send it to the user via email.
Is there any way this can be achieved?
Thank you in advance.
To grant access to a object on Cloud Storage for an user without change the bucket to public or require user authentication you may use Signed URLs. With a Signed URl you will be able to share a temporary link to get or upload a file.
More info about here
I'm looking to get at an Azure function app's list of operational endpoints for each function, in particular the secret code that needs to be passed in to invoke the function.
I've tried lots of current answers in SO but all only seem to work with Function App's which use Files as the secret storage type.
We have a requirement to use Blob storage which is also the default in V2 function apps.
What I'm really after is the code piece that comes after the function name when it's retrieved from the Azure portal, I can manufacture all the other pieces before that myself.
For example https://mytestfunapp-onazure-apidev03.azurewebsites.net/api/AcceptQuote?code=XYZABCYkVeEj8zkabgSUTRsCm7za4jj2OLIQWnbvFRZ6ZIiiB3RNFg==
I can see where the secrets are stored in Azure Blob Storage as we need to configure that anyway when we create all the resources in our scripts.
What I'm really look for is how to decrypt the secret stored in the file. I don't care what programming language or script the solution may be written in, I'll work with it, or convert it to another language that we can use.
Here's a snippet of what the stored secret looks like in Blob storage, it's just a JSON file.
I'm wondering if anyone out there has some experience with this issue and may be able to help me out.
For now it's not supported to get the true key value programmatically. you could just view your key or create new key in the portal. You could find the description here: Obtaining keys.
If your function is a WebHook, when using a key other than the default you must also specify the clientId as a query param (the client ID is the name of your new key):
https://<yourapp>.azurewebsites.net/api/<funcname>?clientid=<your key name>
More information refer to this wiki doc: WebHooks.
We want to migrate HSM keys from Thales paysheild 9000 to Azure Key vault. We would like to know if this migration is supported and if supported, what’s the migration approach and use cases where customers have already migrated to Azure. We have gone through the article https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md, it talks about Thales nShield family but we are using https://www.thalesesecurity.com/products/payment-hsms/payshield-9000
Thanks in advance.
Excellent question, as Dan suggests you should contact Microsoft for clarification, but unfortunately I don't think it's possible.
Recapping, as I'm sure you are aware the purpose of HSM's is so that the keys are not exportable.
Microsoft (and I assume Thales) supports key backup: https://learn.microsoft.com/en-us/rest/api/keyvault/backupkey but it can only be restored to the same geographical area.
In the article you supplied it mentions "Key Exchange Key" in each geographical area, which I assume will mean that Microsoft will be using a different key to that of another install of an HSM.
Having said this I'm not a general HSM expert, these are just links I have come across over time using KeyVault.
Please do contact Microsoft as I would to be interested if this is possible, please post an answer once you have heard back or a Microsoft employee can perhaps answer directly.
On the Thales literature it states:
"With nShield BYOK for Microsoft Azure, your on-premises
nShield HSM generates, stores, wraps, and exports keys to the
Microsoft Azure Key Vault on your behalf"
http://go.thalesesecurity.com/rs/480-LWA-970/images/Thales-e-Security-Microsoft-Azure-UK-sb.pdf
Interestingly it says generates / stores which suggests a pre-created key could be migrated. However on the contray I'm guessing the export must happen using the "Key Exchange Key" and stored in both on-prem and exported for Azure at the same time, not on-prem first, in the BYOK process.
This blog post has keyvault team's contact details if it helps: https://blog.romyn.ca/key-management-in-azure/
The migration of important keys, that are encrypted under current LMK on your Thales payshield on premises, is very straightforward process:
1- Use console command GC to generate new ZMK in a clear format component, this will be done by using key type to be 000 which is ZMK key type, and also to choose clear format components option use letter 'x' in GC command steps.
2-Repeat the GC command above 3 times to generate 3 different plaintext format components of the new ZMK.
3-Now, at your payshield 9000 HSM, use the console command FK which means Form Key from components, the result is the new ZMK encrypted under old LMK.
4-Use the command KE ,which means export key, to export the important data encryption keys (DEK), such as ZPK for example, which is encrypted under old LMK to be encrypted under the new ZMK. Note: in KE command here use key type to be 001 which is ZPK key type.
5- Now you need to manually distribute the same new ZMK to the other party that you are going to migrate to.
6- You can do this manual distribution to such an important key (new ZMK) by sending the 3 different plaintext format components, which you have generated earlier in step number 2, to three different security officers at your corporate, and for security reasons, no one can have the 3 components all together.
7- On the other entity that you wanted to migrate your keys to, which is Microsoft Azure Key Vault cloud service, Azure is offering securing your keys in a hardware HSM environmental of nShield type, which is general purpose HSM and it is not specific in payment transactions like Thales payshield HSM.
8 - Refer to Microsoft Azure key vault documents, to know how to form the new ZMK of the 3 different plaintext format components that you have generated before, and refer to nShield manuals also to check the command which is responsible for importing keys.
9- Now, your important keys such as ZPK which was exported under new ZMK, are now imported under the same ZMK, and finally stored encrypted under the new LMK of your nShield provided cloud service.
I need to encrypt some of the Sections/Parameter values in the settings.xml file in my service fabric application. We currently have a build process set up in TFS to kick off the build and want to incorporate the encryption of values in this process when we roll this out to production. I have read "Managing secrets in Service Fabric Applications" and it goes over the steps to encrypt:
Obtain a data encipherment certificate
Install the cert in your cluster
Encrypt the secret values when deploying the application with the cert and inject them into a service's settings.xml configuration file
Read the encrypted values out of the Settings.xml by decrypting the same encipherment certificate.
I can see that we can override the parameters in the XML file using the MustOverride attribute and providing the name and value for the parameter in the ApplicationManifest.xml file.
Does anyone know how or can link me to an article that can do this process in the TFS build process? I am looking for a oneclick type of deployment that our deployment team (none of them programmers) can use to move this out to production. I understand what must be done, I just don't see the steps needed to modify our service fabric programs and build to utilize this process.
Here is how I was able to do the encryption and decryption in Service Fabric without the Azure Key Vault. Since the data we were encrypting was not changing the decision was to encrypt the values with the certificate and place the values into the correct xml files.
Generate or obtain a X509 certificate. Make sure that the KeyUsage has "DataEncipherment" indicated this is critical to encryption of data
Get the thumbprint for the certificate. You can get this in your MMC certificates plugin.
Using powershell, encrypt the text using the Invoke-ServiceFabricEncryptedText function in powershell. Use the thumbprint from the cert to encrypt the text. This will create an encryption of the text that contains a base 64-bit string that contains the secret ciphertext as well as the information about the certificate used to encrypt it. This is critical! Also, it is a good idea to run the Inoke-ServiceFabricDecryptText method on the encrypted string using the certificate to ensure it decrypts fine.
Now comes the fun part, putting this into all the XML files in the correct way to get this to work. (This is where it gets messy).
First you need to modify the settings.xml file. The parameter that you want to be encrypted needs to be set to IsEncrypted="true" Value="" and MustOverride="true".
Next you need to declare the override parameter in the ApplicationManifest.xml file. Make sure the parameter name in the application manifest is the same as in the settinss. Set the Name of the parameter in the Parameters section in the applicationmanifest.xml file and set the value = "".
In the ConfigurationOverride section where you have the Parameter name referenced, set the value to the Parameter in the parameters section. Currently this will be blank, also set the IsEncrypted="true".
This is where I got stuck. All this other information was readily available, this next section wasn't. Next in the ApplicationParameters folder under your project, select the XML file used when you publish to your service fabric. This is were you will place the encrypted value. Create a Parameter in this section, set the name to the name you gave in your ApplicationManifest and set the value to the encrypted value generated from the certificate.
When you deploy this parameter will be passed in as an encrypted value. To use it in code you need to make sure you refernece the DecryptValue. For example:
var decryptedPassword= configurationPackage.Settings.Sections["sectionname"].Parameters["ConnectionString"].DecryptValue();
This will generate a SecureString that you can use throughout your code. I converted the value to a string using one of many references on how to convert SecureString to string available online.
That's it. I hope this helps someone else that is not using the Azure Key Vault to secure secrets.
I need to use a digital signature in application running on WebSphere Portal 6.1. Is there any API for retriving java.security.PrivateKey from server key storage?
I want to avoid explicit path to key storage and storage password in my application source code.
Check out the IBM KeySetHelper API.
First, define a KeyStore in WAS admin. This is what will reference the key database (JKS, PKCS12, etc) on the filesystem via path. Then define a named KeySet and reference the KeyStore. Create an alias in the key set that matches a label in the KeyStore. This limits access to specific keys if you have several in the store.
You can then "lookup" the named keystore via KeySetHelper by name. Note: you'll need to know what type of key is in the store. You won't need to know labels within the key database (or even passwords) in your code. However, you'll need to know whether or not the key is a shared secret (in which case you'll receive a java.security.SecretKey implementation. Since you want a java.security.PrivateKey, make sure you load a personal certificate into the key database that is represented in WAS as your keystore.
If you manually load a certificate into your keydatabase backing your keystore, you can leave off the key generator class name parameter of the keyset. That's used if you want to have WAS generate keys. If you also need a java.security.PublicKey, be sure to check the "generates key pair" option. In that case, you are returned from your KeySetHelper::getLatestKeysForKeySet call a com.ibm.websphere.crypto.KeyPair which contains both a java.security.PrivateKey and a java.security.PublicKey (plus access to a java.security.Certificate).
See also:
Creating a KeyStore
Creating a KeySet