Where is the secure variables stored in the server?

[Ren Roz]

Hello There,

Happen to stumble upon a question recently about where is the secure variables stored on the Go-server and how is it encrypted?

Can someone help me understand the below questions please

1) What algorithm or hashing is applied to secure variables?

2) Which location is the secure variables stored?

3) If at all I have to decrypt it? Is it possible?

Much appreciate your views on this.

[Aravind SV]

Hello Ren,

The easiest way would probably be to get the encrypted value from the config XML or the pipeline config API and use the cipher.aes file (usually in /etc/go) and run a test such as this:
https://github.com/gocd/gocd/blob/bc5413918eb9c792352710a4b6b79c64cea4f439/config/config-api/src/test/java/com/thoughtworks/go/security/AESEncrypterTest.java#L51

The code which does the decryption is here:
https://github.com/gocd/gocd/blob/bc5413918eb9c792352710a4b6b79c64cea4f439/config/config-api/src/main/java/com/thoughtworks/go/security/AESEncrypter.java#L81

It's standard AES which should be reproducible.

The variables were also (at least temporarily) stored in the DB, for re-running pipelines, but that might not be true any more.

Cheers,
Aravind

PS: You could also run a pipeline, write the value out to a file and read the file, I guess. :) At the end of the day, GoCD will need to decrypt that variable and make it available to the running job. So, whatever GoCD or any system does, in this kind of a use case, it'll need to be available somewhere.