Encrypting Text in a Configuration File

This section details how to encrypt passwords, access keys or other sensitive information in a configuration file managed through Crafter Studio.

The encryption algorithm used is PBE (Password Based Encryption) with AES, in which a password and a salt are specified to generate the key used on encryption/decryption.

Crafter Studio uses a default key and salt for the encryption tool. To set the key and salt to desired values, in your Authoring installation directory, open /bin/crafter-setenv.sh and modify the following values

bin/crafter-setenv.sh
# -------------------- Encryption variables --------------------
export CRAFTER_ENCRYPTION_KEY=${CRAFTER_ENCRYPTION_KEY:="default_encrytption_key"}
export CRAFTER_ENCRYPTION_SALT=${CRAFTER_ENCRYPTION_SALT:="default_encrytption_salt"}

The encrypted properties work in the following site configuration files:

  • Engine Site Configuration (/config/engine/site-config.xml)

  • Studio AWS Profiles (/config/studio/aws/aws.xml)

  • Studio Box Profiles (/config/studio/box/box.xml)

  • Studio WebDAV Profiles (/config/studio/webdav/webdav.xml)

How to Encrypt Text in Configuration File

To encrypt passwords, access keys or other sensitive information in a configuration file managed through Crafter Studio:

  • Open the configuration file that has the text/information that you would like to encrypt

  • Find the entry you would like to encrypt and add the attribute encrypted=""

  • Click on the Encrypt Marked button to encrypt text

  • Your sensitive text should now be encrypted and displayed with the attribute encrypted="true" and you may now save your file

Example

Let’s take a look at an example of encrypting the accessKey and securityKey for the AWS Profiles configuration.

  • Open the AWS Profiles configuration file by clicking on siteConfig -> Configuration, then select AWS Profiles from the dropdown box

  • We will add an AWS S3 profile. Notice that the accessKey and secureKey is in the clear.

    {REPOSITORY_ROOT}/sites/SITENAME/config/studio/aws/aws.xml
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
    <?xml version="1.0" encoding="UTF-8"?>
<aws>
  <s3>
  <!--

  AWS S3 Profile

  Additional properties:

  <bucketName/>
  <pathStyleAccess/>

  bucketName: name of the bucket where files will be uploaded
  pathStyleAccess: indicates if path style access should be used for all requests (defaults to false)

  -->
    <profile>
      <id>s3-default</id>
        <credentials>
        <accessKey>AKIAIOSFODNN7EXAMPLE</accessKey>
        <secretKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</secretKey>
      </credentials>
      <region>us-west-1</region>
      <bucketName>sample-input-bucket</bucketName>
      <pathStyleAccess>true</pathStyleAccess>
    </profile>
  </s3>
</aws>

  • We will now mark items to be encrypted by adding the attribute encrypted="". For our example, we will mark accessKey and secretKey for encryption.

    {REPOSITORY_ROOT}/sites/SITENAME/config/studio/aws/aws.xml
    <accessKey encrypted="">AKIAIOSFODNN7EXAMPLE</accessKey>
<secretKey encrypted="">wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</secretKey>

    Add "encrypted=""" attribute to "accessKey" and "secureKey"

  • Click on the Encrypt Marked button to encrypt the marked items, the attribute for the marked items will change to encrypted="true":

    {REPOSITORY_ROOT}/sites/SITENAME/config/studio/aws/aws.xml
    <accessKey encrypted="true">${enc:OrV8g2KT7nb/oFnq4akNKWAfywS7vGwn1t+Gz/xOitx5BwCzJUvgoQeNRCbUw/uQ}</accessKey>
<secretKey encrypted="true">${enc:CKZgTvxVyxUyJ0H2DncLWF9N3x2o+dl5s/iEWYyj0blbNFxyqzGNU6TZy8B96FK55s2SOnSlvyvbfgblZqebYg==}</secretKey>

    "accessKey" and "secureKey" now encrypted

  • The accessKey and secureKey is now encrypted and will be decrypted by Crafter Studio as needed