quarkus-file-vault-mask.md

This project should be an extra layer for the "quarkus-file-vault" and encrypt the keystore secret and mask it. As output, you'd see all the parameters necessary for the "quarkus-file-vault".

Build the Quarkus File Vault

1. Fork and Clone the https://github.com/pedro-hos/quarkus-file-vault/tree/encrypt-secret with the changes. The changes are on encrypt-secret branch

1.1 Clone the project from my git profile:

git clone https://github.com/pedro-hos/quarkus-file-vault.git

1.2 Go to encrypt-secret branch

git fetch origin
git checkout -b encrypt-secret origin/encrypt-secret

Make sure that changes are there, check if you see the class EncryptionUtil.java on your local code.

2. If the changes are locally, we should to build the code:

mvn clean install -Dinsecure.repositories=WARN -DskipTests

You should to see the success message:

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Quarkus - File Vault - Parent 999-SNAPSHOT:
[INFO] 
[INFO] Quarkus - File Vault - Parent ...................... SUCCESS [  0.922 s]
[INFO] Quarkus - File Vault - Runtime ..................... SUCCESS [  3.304 s]
[INFO] Quarkus - File Vault - Deployment .................. SUCCESS [  0.519 s]
[INFO] Quarkus - File Vault - Integration Tests ........... SUCCESS [  3.404 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  8.291 s
[INFO] Finished at: 2022-06-14T14:22:42-03:00
[INFO] ------------------------------------------------------------------------

Using the Vault Utils

1. Fork and clone the Vault Utils project at https://github.com/pedro-hos/vault-utils:

git clone https://github.com/pedro-hos/vault-utils

2. Package the project:

mvn clean install

3. Encrypting the secret. You can run the --help paramenter, to see the options:

$ java -jar target/quarkus-app/quarkus-run.jar --help
Usage: Encrypt Secret Util [-hV] -e=<encryptionKey> [-i=<iterationCount>]
                           -p=<keystorePassword> [-s=<salt>]
  -e, --encryption-key=<encryptionKey>
                      (mandatory) Encryption Key
  -h, --help          Show this help message and exit.
  -i, --iteration=<iterationCount>
                      (optional) Iteration count
  -p, --keystore-password=<keystorePassword>
                      (mandatory) Keystore password
  -s, --salt=<salt>   (optional) 8 character salt
  -V, --version       Print version information and exit.

The only mandatory parameter are -p, --keystore-password and -e, --encryption-key the others are optional.

The -p, --keystore-password is the keytool secret value; The -e, --encryption-key=<encryptionKey> is an random string used to encrypt and decript.

You can create the mask for example:

$ java -jar target/quarkus-app/quarkus-run.jar -e somearbitrarycrazystringthatdoesnotmatter -p storedpass

You should to see something like that at the output:

######################################################################################################
Please add the following paramenters on your application.properties file, and replace the <name> value!
The <name> will be used in the consumer to refer to this provider.

quarkus.file.vault.provider.<name>.encryption-key=somearbitrarycrazystringthatdoesnotmatter
quarkus.file.vault.provider.<name>.secret=RM6AXLntKXlsmZQfkvu6ag==
######################################################################################################

Save this for the next step.

Using the Quarkus File Vault on PIM

You need to have https://github.com/kiegroup/process-migration-service and build this project.

1. Comment the dependency https://github.com/kiegroup/process-migration-service/blob/7c4d11671dcada707a69d3b2072cec539386b70a/pom.xml#L134
2. Change the https://github.com/kiegroup/process-migration-service/blob/7c4d11671dcada707a69d3b2072cec539386b70a/pom.xml#L225 dependency for the followin value:

<dependency>
    <groupId>io.quarkiverse.file-vault</groupId>
    <artifactId>quarkus-file-vault</artifactId>
    <version>0.4.0</version>
    <scope>system</scope>
    <systemPath>/runtime/target/quarkus-file-vault-999-SNAPSHOT.jar</systemPath>
</dependency>

Change the <systemPath>/runtime/target/quarkus-file-vault-999-SNAPSHOT.jar</systemPath> with the full quarkus file vault jar file runtime path. We have build the project at Build the Quarkus File Vault step.

3. edit the application.yaml with the masked secret and the encryption-key. The values is the same with the output from the step Using the Vault Utils

quarkus:
  file:
    vault:
      provider:
        pim:
          path: pimvault.p12
          secret: RM6AXLntKXlsmZQfkvu6ag==
          encryption-key: somearbitrarycrazystringthatdoesnotmatter

Notes:

You can also, change the salt and the iteration count values, the default are salt=1234abcd and iteration count=65536. Just run the vault-utils project with:

$ java -jar target/quarkus-app/quarkus-run.jar -e somearbitrarycrazystringthatdoesnotmatter -p storedpass -s q1w2e3r4 -i 76647

######################################################################################################
Please add the following paramenters on your application.properties file, and replace the <name> value!
The <name> will be used in the consumer to refer to this provider.

quarkus.file.vault.provider.<name>.salt=q1w2e3r4
quarkus.file.vault.provider.<name>.encryption-key=somearbitrarycrazystringthatdoesnotmatter
quarkus.file.vault.provider.<name>.iteration-count=76647
quarkus.file.vault.provider.<name>.secret=RUDJ9DviTm+w6tV0vN51CQ==
######################################################################################################

and add the following at the application.yaml file:

quarkus:
  file:
    vault:
      provider:
        pim:
          path: pimvault.p12
          secret: RUDJ9DviTm+w6tV0vN51CQ==
          encryption-key: somearbitrarycrazystringthatdoesnotmatter
          iteration-count: 76647
          salt: q1w2e3r4