API key encryption
Overview
dct-toolkit currently authenticates HTTP requests with an API key. The API key can be configured in plain text or specified via an environment variable.
Implementation
Starting from 1.2.0 version, dct-toolkit supports encrypting an API key via a separate command and also via the create_config command used to generate the configuration file. The create_config command now stores the API key in encrypted format using the AES/GCM algorithm, where the key and IV are generated from the following two inputs:
Local hostname of the machine from where the dct-toolkit command is run.
DCT URL used to connect to the DCT instance.
For users who want to supply the API key via an environment variable, dct-toolkit provides the encrypt_api_key command which takes in the API key and DCT URL as inputs and returns an encrypted API key, which can then be exported to an environment variable. As an example, please refer to the section below.
The encryption key (not to be confused with the DCT API key) used for encryption is reproducible, hence, it is possible to encrypt and decrypt the DCT API key without storing the encryption key on the file system. Anyone with access to the logic to create an encryption key and knows the inputs for that logic will be able to generate the encryption key, and consequently, will be able to decrypt the DCT API key.
Backward compatibility
The dct-toolkit API key encryption feature is fully backward compatible with previous versions of dct-toolkit. dct-toolkit first tries to decrypt the API key; if it fails to decrypt the API key, then the key is used as configured.
Example
If the user intends on specifying the API key via an environment variable, then dct-toolkit provides a command to get the encrypted version of the API key:
./dct-toolkit encrypt_api_key apiKey=<DCT api key> dctUrl=<DCT instance URL>