Set up an encryption certificate and encrypt secrets on Linux clusters
This article shows how to set up an encryption certificate and use it to encrypt secrets on Linux clusters. For Windows clusters, see Set up an encryption certificate and encrypt secrets on Windows clusters.
Obtain a data encipherment certificate
A data encipherment certificate is used strictly for encryption and decryption of parameters in a service's Settings.xml and environment variables in a service's ServiceManifest.xml. It is not used for authentication or signing of cipher text. The certificate must meet the following requirements:
The certificate must contain a private key.
The certificate key usage must include Data Encipherment (10), and should not include Server Authentication or Client Authentication.
For example, the following commands can be used to generate the required certificate using OpenSSL:
user@linux:~$ openssl req -newkey rsa:2048 -nodes -keyout TestCert.prv -x509 -days 365 -out TestCert.pem user@linux:~$ cat TestCert.prv >> TestCert.pem
Install the certificate in your cluster
The certificate must be installed on each node in the cluster under /var/lib/sfcerts. The user account under which the service is running (sfuser by default) should have read access to the installed certificate (that is, /var/lib/sfcerts/TestCert.pem for the current example).
Encrypt secrets
The following snippet can be used to encrypt a secret. This snippet only encrypts the value; it does not sign the cipher text. You must use the same encipherment certificate that is installed in your cluster to produce ciphertext for secret values.
user@linux:$ echo "Hello World!" > plaintext.txt
user@linux:$ iconv -f ASCII -t UTF-16LE plaintext.txt | tr -d '\n' > plaintext_UTF-16.txt
user@linux:$ openssl smime -encrypt -in plaintext_UTF-16.txt -binary -outform der TestCert.pem | base64 > encrypted.txt
The resulting base-64 encoded string output to encrypted.txt contains both the secret ciphertext as well as information about the certificate that was used to encrypt it. You can verify its validity by decrypting it with OpenSSL.
user@linux:$ cat encrypted.txt | base64 -d | openssl smime -decrypt -inform der -inkey TestCert.prv
Next steps
Learn how to Specify encrypted secrets in an application.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for