Secrets

torero allows users to store encrypted 'secret' information within its backend data store. We leverage asymmetrical encryption with a zero trust of the server/torero. torero encrypts the secrets with an encryption-file that must be created and utilized for encryption and decryption.

Secrets can be utilized in the following scenarios:

  1. Storing SSH keys for use during a Git clone on service execution (guide)
  2. Injecting secret data into services (guide)
  3. Authenticating with PyPi or Ansible Galaxy registries (guide)

Encryption with torero

Data is encrypted using AES in GCM. The key for AES is generated by PBKDF2 from a provided encryption file and a random salt, which makes each secret stored distinct, even if they are using the same encryption file. The salt and encrypted data are stored in the store as a base64 encoded string.

Creating An Encryption Key

Creating an encrypted secret in torero is easy and simple.

For a secret to be encrypted and decrypted you will need first need to create an encryption key. If you are running torero in a cluster, all instances in that cluster will need access to the same encryption key.

Generating an encryption key can be done with the openssl package as follows:

>_ openssl rand -base64 256 > /somedir/my_encryption.key

Inspecting the key would result in the following item:

>_ cat /somedir/my_encryption.key
UM/mOfv5iQqF6Cp1u8k+0MFVTq44NIPQii1wkTgacS1GnOGiI4iBMFeFJSJQT80A
Lso1VmL0wr3MqG9wgvov32y5Oddjay9j5RqMIbQpJuJDJtrodzWi+6B+yo0NBoHz
sgfLr6oL16oFrwSRq+ZSELJLr/aL9V9fdMluHYCGOHJrQtxojoQX41kF7OS6dSNk
BbCRKKJrpJtOmZY1nz7CLcGWxA80PDdjGwozdN/vwxo84Ohpl6/R7pDVZOIXfbyh
xMibYbvLM01A2/eJ72PU4zfiWRdiovnmLlsifMnDwobs0WHY5lAgGpdENs6v577e
YK2U8HlKOWczjPsXjK7RBA==
To ensure security we will then run chmod 400 /somedir/my_encryption.key.

Note

Keep this key somewhere safe and secure. If it is lost any data encrypted with it will also be lost.

Once our key is generated we will have to tell torero of its location in its configuration. See the encryption key file configuration via either a torero.conf file or an environment variable below.

torero.conf

[secrets]
encrypt_key_file = "/somedir/my_encryption.key"

Environment Variable

>_ export TORERO_SECRETS_ENCRYPT_KEY_FILE="/somedir/my_encryption.key"

Creating Your First Secret

Once your encryption key is set, you can create a secret with the following syntax:

>_ torero create secret my-secret --prompt-value

Next, view that the secret now exists in the store.

>_ torero get secrets
NAME
my-secret

And finally, you can view the contents of the secret by using the describe command.

>_ torero describe secret my-secret

To securely output the decrypted data, the secret is saved in a temporary location and displayed in your default editor set by whatever $EDITOR environment variable you have set. To set a different $EDITOR, see the example syntax below.

export EDITOR=nano

If an editor is not set, torero will default to vim.

Once you close your editor, the file that was used to display your secret's contents is deleted.

Congratulations! You have now created a secret within torero's data store. Keep care of your encryption key file and remember that if you are using a distributed torero cluster you will need to use the same key on all nodes to encrypt/decrypt information.