Skip to main content
Feedback

Encrypting Sensitive Information (Optional)

You can use the apim_crypto from within the toolkit container to encrypt sensitive information. The utility uses Authenticated Encryption with Associated Data (AEAD) encryption. AEAD uses a user provided 16 character secret and a 16 character nonce to encrypt text. The secret and nonce must be in UTF-8 format only.

Encrypt all sensitive information in one secret using the same AEAD secret and nonce. Refer to Using Local Edition Crypto Utility topic in the Security guide for detailed instructions on using apim_crypto utility.

I have no name!@toolkit:/$ apim_crypto -s <16 character secret> -n <16 character nonce> -t <text to encrypt>

Encrypting Database Access Secret

Boomi Cloud API Management - Local Edition can access the database with or without TLS support. Refer to Securing Connections to an External MySQL 8 compliant database for detailed steps on using Encrypted connections with MySQL.

Example

The sample templates for encrypting database access secret with and without encryption are provided in the following sections.

With Encryption (Optional)

Procedure

  1. Encrypt database password using apim_crypto.

    # Run the toolkit pod if it is not running
    kubectl run --image=<registry/[repository]/apim-le-toolkit:<tag> toolkit
    Command: apim_crypto -s '<16 char secret to use>' -n '<16 char AEAD nonce to use while
    encrypting>' -t '<text that needs to be encrypted>'
    Example
    I have no name!@toolkit:/$ apim_crypto -s 'abcdefghijklmnop' -n '1234567890123456' -t
    'masheryonprempassword'
    YWQ0NTA5NzUxMjNlYzA1YjFjNWYxZWU1ZjdkOGZhMzE3YjcyYjA1M2ViY2M4YTVhMzg
    wOGMxZDAxM2QxMDYzMDUxYmE4YTg5NjU2MjMxMzQzMDMzMzIzMDMyMzQzMTMz
    MzMzMTM0MzI2NS1AQEA=
    $

  2. Create a YAML file.

    For example, consider an example of this apim-dbcreds-secret.yaml file. You can create a copy of this file from samples/database/db-secrets-with-encryption-sample.yaml.

    1. base64 encode username. Copy and replace the result value to .apimdbuser key, and then copy and replace the result value from encryption to .apimdbpasswd key.

      $ echo -n '<db username>' | base64
      $ echo -n 'masheryonprem' | base64
      bWFzaGVyeW9ucHJlbQo=

    2. base64 encode AEAD secret and provide as value for .aeadsecret key.

      $ echo -n "abcdefghijklmnop" |base64
      YWJjZGVmZ2hpamtsbW5vcA==

    3. base64 encode nonce and provide as value for .aeadnonce key.

      $ echo -n "1234567890123456" |base64
      MTIzNDU2Nzg5MDEyMzQ1Ng==

    Result:

    apiVersion: v1
    kind: Secret
    metadata:
    name: apim-db-secret
    data:
    # $ echo masheryonprem | base64
    .apimdbuser: bWFzaGVyeW9ucHJlbQo=
    # see using apim_crypto utility in security guide and install guide.
    .apimdbpasswd:
    YWQ0NTA5NzUxMjNlYzA1YjFjNWYxZWU1ZjdkOGZhMzE3YjcyYjA1M2ViY2M4YTVhMzgwOGM
    xZDAxM2QxMDYzMDUxYmE4YTg5NjU2MjMxMzQzMDMzMzIzMDMyMzQzMTMzMzMzMTM0M
    zI2NS1AQEA=
    # $ echo -n "abcdefghijklmnop" |base64
    .aeadsecret: YWJjZGVmZ2hpamtsbW5vcA==
    # $ echo -n "1234567890123456" |base64
    .aeadnonce: MTIzNDU2Nzg5MDEyMzQ1Ng==

Without Encryption

Procedure

  1. Create a YAML file.

    For example, consider an example of this apim-dbcreds-secret.yaml file. You can create a copy of this file from <extract location>/samples/database/db-secrets-sample.yaml.

    1. base64 encoded db username. Then, copy and replace the result value to the .apimdbuser key.

      $ echo -n '<db username>' | base64

      Example
      $ echo -n 'masheryonprem' | base64
      bWFzaGVyeW9ucHJlbQo=

    2. base64 encoded db password. Then, copy and replace the result value to the apimdbpasswd key.

      $ echo -n '<db password>' | base64

      Example
      $ echo -n 'changeme' |base64
      Y2hhbmdlbWU=

    Result:

    apiVersion: v1
    kind: Secret
    metadata:
    name: apim-db-secret
    data:
    # $ echo masheryonprem | base64
    .apimdbuser: bWFzaGVyeW9ucHJlbQo=
    # $ echo <password_text> | base64
    .apimdbpasswd: Y2hhbmdlbWU=

On this Page