Decrypting elytron encrypted expression from JBoss CLI
577 views
Skip to first unread message
Iason Filippou
Nov 10, 2023, 7:11:23 AM11/10/23
to WildFly
We use Elytron in wildfly 26-1-2.Final to encrypt several secrets in our XML configuration. We now have several encrypted properties in our .xml files, for example:
<property name="someProperty" value="${ENC::main-resolver:RUxZ....}"/>
<property name="someProperty" value="${ENC::main-resolver:RUxZ....}"/>
(We use a resolver called main-resolver, connected to a "main" keystore for encrypting credentials, hence the "main-resolver" infix).
We have verified that the decryption happens successfully in our Java app, but we were wondering how we can use the JBoss CLI to decrypt an encrypted expression. Please note that we unfortunately cannot use elytron-tool.sh for our purposes, because of a known issue that has been solved in wildfly 27, which we cannot currently use.
Best,
Jason
Prarthona Paul
Nov 13, 2023, 11:39:10 AM11/13/23
to WildFly
Hello,
Thank you for your question.
In order to keep the encrypted expression hidden, we are not able to decrypt the encrypted expression and view it in plaintext using the JBoss CLI or the elytron-tool.sh.
However, you can use system-property to use the decrypted value for your java application. Please refer to this example: https://github.com/wildfly-security-incubator/elytron-examples/tree/main/system-properties
Thank you for your question.
In order to keep the encrypted expression hidden, we are not able to decrypt the encrypted expression and view it in plaintext using the JBoss CLI or the elytron-tool.sh.
However, you can use system-property to use the decrypted value for your java application. Please refer to this example: https://github.com/wildfly-security-incubator/elytron-examples/tree/main/system-properties
In this example, as mentioned in the README, System.getProperty("secret.password") returns the encrypted expression without decrypting it, while System.getProperty("myproperty") returns the decrypted value.
I hope this helps!
I hope this helps!
Please feel free to follow up if you have any additional questions!
-- Prarthona
Iason Filippou
Nov 14, 2023, 8:34:02 AM11/14/23
to wil...@googlegroups.com
Forwarding the response from Prarthona since I accidentally replied exclusively to her. It seems that out of an abundance of caution, the only way to find the decrypted expressions is through application memory (e.g Java System properties).
---------- Forwarded message ---------
From: Iason Filippou <ifil...@xm.com>
Date: Tue, Nov 14, 2023 at 3:28 PM
Subject: Re: Decrypting elytron encrypted expression from JBoss CLI
To: Prarthona Paul <prp...@redhat.com>
From: Iason Filippou <ifil...@xm.com>
Date: Tue, Nov 14, 2023 at 3:28 PM
Subject: Re: Decrypting elytron encrypted expression from JBoss CLI
To: Prarthona Paul <prp...@redhat.com>
Thank you very much; this is actually exactly what I was thinking as well and just wanted to confirm.
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/21ddb6d1-5bab-4fc0-ac08-007af889b242n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages