Secrets

Secrets include connection passwords, tokens, and other sensitive information the Intelligence Hub requires to connect to external systems. This section covers the different ways to manage secrets in the Intelligence Hub.

Encryption/Decryption

In all cases, secrets are stored securely on the local file system using a private key to encrypt and decrypt the secrets. The key is located in the intelligencehub-certificatestore.pkcs12 file. The key is generated when first running the Intelligence Hub, and re-created any time the file or key cannot be loaded.

Inline Secrets

By default, secrets entered for a Connection (ex. a password) are encrypted and saved in the intelligencehub-configuration.json along with all project configuration. Below is an example of an encrypted field for a connection.

json
{
  "password" : {
    "type" : "Encrypted",
    "value" : {
      "keyId" : "/68PfkTLjYIbwiCzbi8++A==",
      "iv" : "ohKWcdoU+99Ofjt9k8in/g==",
      "ciphertext" : "nzU9pFgwUK5DXrh/Pgyz4w=="
    }
  }
}

Inline secrets are convenient and simple but can become problematic when managing the same project across different environments.

External Secrets

External Secrets may be a better solution in cases where a project is moved between environments that have different credentials. An example of this could be Dev, QA, and Production. With External Secrets the intelligencehub-configuration.json references a secret by name, but the secret is stored and encrypted in a intelligencehub-secrets.json. This way the project file can remain the same between environments and only the secrets file changes.

Secrets can be managed in the Settings | Secrets tab, and then referenced in the Connection settings for each Connection. Below is an example of the secret reference in the intelligencehub-configuration.json file.

json
{
  "password" : {
    "type" : "Reference",
    "value" : "mypassword"
  }
}

Sharing Projects with Secrets

In order for an Intelligence Hub to load secrets, either inline or external, it must have the same key as the Hub that encrypted the secrets. This means it must share the intelligencehub-certificatestore.pkcs12 file. If the Hub loading the secrets does not have the same key, the secrets will fail to load and must be manually re-entered to be encrypted by the local key.

Project Import/Export

Project import can import secrets in plain text, encrypted, or referenced formats. Although plain text secrets are not recommended, the import will encrypt the secret using the local key before storing it in the configuration file. If the secret is imported as encrypted, the local key is used to decrypt the secret. If this fails, the user is warned and they must re-enter the secret before using the connection. If the imported secret is a reference, the local intelligencehub-secrets.json must contain the reference, otherwise a runtime error occurs when using the connection.

Project export can export secrets as inlined or referenced. Project export never exports secrets in plain text.