Dealing with secrets in the gateway configuration - Layer7-Community/graphman-client GitHub Wiki

Of all the entity types, two of them contain sensitive information which is never in clear:

• Keys (Keystore entries used for example by listeners)
• Secrets (Secure Passwords and SSH keys)
• Sensitive fields of other entities

A encryption passphrase provided by the graphman requester is used to encrypt and decrypt these secrets. This encryption passphrase is set with HTTP header name x-l7-passphrase. If missing, graphman will use its cluster passphrase to encrypt/decrypt these secrets.

For a bundle to be importable on target, provide the same encryption passphrase when applying the bundle as was used during the creation of the bundle.

The secret portion of the Key entity type is a .p12 (PKCS12) which is protected using the encryption passphrase. The secret portion of the exported Secret entity type is AES encrypted (but with proprietary key generation method) using the same encryption passphrase and can be re-encrypted for modification using this standard openssl command

> echo  | openssl enc -e -aes-256-cbc -md sha256 -pass pass: -a