robotframework-crypto icon indicating copy to clipboard operation
robotframework-crypto copied to clipboard
verified publisher icon Snooz82

Saving private key password within the system

Open sumnehaage opened this issue 5 years ago • 3 comments

I have created a private_key password (which will in turn be used to decrypt the cipher text used).

I am using;

*** Settings ***
Library    SeleniumLibrary
Library    CryptoLibrary    ${decryption_password}    variable_decryption=True

*** Variables ***
${decryption_password}    secretpass

In the steps explained I see its mentioned;

Library     CryptoLibrary    %{private_key_password}    variable_decryption=False
#private key which should be secret, should also be protected by a password

The private_key.json is needed to decrypt the values on your test server and has to be copied manually or added through the CLI interface. See Set key pair from... above.

Question:

  • When I set up the key pair using "Set key pair from String" option, it is success, but when I try to retrieve in robot script I am not getting it. Decryption is not happening unless I mention the actual value (un-encrypted) for "${decryption_password}", just like variables.

  • Basically, I do not want to give actual secret key password "secretpass", but just give cipher text or do not want give it at all and process should read it on the fly from the library. Can you please explain how to do it?

sumnehaage avatar Mar 16 '20 18:03 sumnehaage

i think here is a misunderstanding about what password is used for what.

The ${decryption_password} or as i wrote in the docs the %{private_key_password} is not the password/secret Text you want to work with or hide from the logs and your code!!! It is the password that secures the private key.

The "Cipher Text" is the encrypted text of your confidential information. This can be decrypted to plain text. I would assume you used the same "string" for the private_key_password and as confidential data.

Maybe in other words.

You have the "public key", that is used to encrypt cipher(secret) texts. And you have the "private key" that is used to decrypt cipher texts to plain texts.

This private key is secured by a password. This private_key_password has to be set when you create a private key (key pair). You are asked if you want to save this password on the machine. if you do this, you do not need to set this private_key_password when you import the CryptoLibrary into you robot files. But saving this password means, if someone gets access to your machine, the private key can be extracted/stolen and you security chain is broken. Due to this attack vector, it is recommended to handle the private_key_password on an alternative way. For example Jenkins can store secrets like this password and set it as environment variable. or you can pull it from somewhere else. If you say, that your machine is save enough, just "save" the password when creating the key pair.

But again: the private_key_password is protecting your private decryption key and is not the cipher text or password you want to decrypt or encrypt.

Snooz82 avatar Apr 19 '20 09:04 Snooz82

I see that there is a lag in documentation about this password. When i have time i try to fix the documentation.

Snooz82 avatar Apr 19 '20 09:04 Snooz82

I see that there is a lag in documentation about this password. When i have time i try to fix the documentation.

Hi Snooz82, Wonderful Library, if you find the time(or perhaps priority :-) )., your comment is stillthough very valueable to merge it into the documentation, due to the fact it describes the Import more in detail and how it works. It costs us quiet some time to try, understand and that we found this explanation in this Issue related topic.

Thnx and Keep up the good work.

HuibStoel avatar Sep 15 '21 17:09 HuibStoel