| title | intro | versions | topics | shortTitle | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Encrypting secrets for the REST API | In order to create or update a secret with the REST API, you must encrypt the value of the secret. |
|
| Encrypt secrets |
Several REST API endpoints let you create secrets on {% data variables.product.company_short %}. To use these endpoints, you must encrypt the secret value using libsodium. For more information, see the libsodium documentation.
In order to encrypt a secret, you need a Base64 encoded public key. You can get a public key from the REST API. To determine which endpoint to use to get the public key, look at the documentation for the encrypted_value parameter in the endpoint that you will use to create a secret .
If you are using Node.js, you can encrypt your secret using the libsodium-wrappers library. For more information, see libsodium-wrappers.
In the following example, replace YOUR_SECRET with the plain text value that you want to encrypt. Replace YOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key. ORIGINAL is not a placeholder; it is a parameter for the libsodium-wrappers library.
constsodium=require('libsodium-wrappers')constsecret='YOUR_SECRET'constkey='YOUR_BASE64_KEY'//Check if libsodium is ready and then proceed.sodium.ready.then(()=>{// Convert the secret and key to a Uint8Array.letbinkey=sodium.from_base64(key,sodium.base64_variants.ORIGINAL)letbinsec=sodium.from_string(secret)// Encrypt the secret using libsodiumletencBytes=sodium.crypto_box_seal(binsec,binkey)// Convert the encrypted Uint8Array to Base64letoutput=sodium.to_base64(encBytes,sodium.base64_variants.ORIGINAL)// Print the outputconsole.log(output)});If you are using Python 3, you can encrypt your secret using the PyNaCl library. For more information, see PyNaCl.
In the following example, replace YOUR_SECRET with the plain text value that you want to encrypt. Replace YOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
frombase64importb64encodefromnaclimportencoding, publicdefencrypt(public_key: str, secret_value: str) ->str: """Encrypt a Unicode string using the public key."""public_key=public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder()) sealed_box=public.SealedBox(public_key) encrypted=sealed_box.encrypt(secret_value.encode("utf-8")) returnb64encode(encrypted).decode("utf-8") encrypt("YOUR_BASE64_KEY", "YOUR_SECRET")If you are using C#, you can encrypt your secret using the Sodium.Core package. For more information, see Sodium.Core.
In the following example, replace YOUR_SECRET with the plain text value that you want to encrypt. Replace YOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
varsecretValue=System.Text.Encoding.UTF8.GetBytes("YOUR_SECRET");varpublicKey=Convert.FromBase64String("YOUR_BASE64_KEY");varsealedPublicKeyBox=Sodium.SealedPublicKeyBox.Create(secretValue,publicKey);Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));If you are using Ruby, you can encrypt your secret using the RbNaCl gem. For more information, see RbNaCl.
In the following example, replace YOUR_SECRET with the plain text value that you want to encrypt. Replace YOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
require"rbnacl"require"base64"key=Base64.decode64("YOUR_BASE64_KEY")public_key=RbNaCl::PublicKey.new(key)box=RbNaCl::Boxes::Sealed.from_public_key(public_key)encrypted_secret=box.encrypt("YOUR_SECRET")# Print the base64 encoded secretputsBase64.strict_encode64(encrypted_secret)