PemPropertyFormat
The format of a secret used with a mappings configuration in FileSystemSecretStore and SystemAndEnvSecretStore. Privacy-Enhanced Mail (PEM) is a file format for storing and sending cryptographic keys, certificates, and other data, based on standards in Textual Encodings of PKIX, PKCS, and CMS Structures. By default, OpenSSL generates keys using the PEM format.
Encryption methods and ciphers used for PEM encryption must be supported by the Java Cryptography Extension.
PEM keys have the following format, where the PEM label is associated to the type of stored cryptographic material:
-----BEGIN {PEM label}-----
Base64-encoded cryptographic material
-----END {PEM label}-----
PEM Label | Stored Cryptographic Material |
---|---|
|
X.509 Certificate |
|
X.509 SubjectPublicKeyInfo |
|
PKCS#8 Private Key |
|
Encrypted PKCS#8 Private Key |
|
EC Private Key |
|
PKCS#1 RSA Private Key |
|
PKCS#1 RSA Public Keys |
|
PKCS#1-style DSA Private Key |
|
HMAC Secret Keys |
|
AES Secret Keys |
|
Generic Secrets (passwords, API keys, etc) |
Note the following points about the key formats:
-
PKCS#1 is the standard that defines RSA. Learn more in RFC 8017: RSA Public Key Syntax.
-
PKCS#1-style DSA and EC keys aren’t defined in any standard, but are adapted from the RSA format.
-
HMAC SECRET KEY
,AES SECRET KEY
, andGENERIC SECRET
are a ForgeRock extension, and not currently supported by any other tools.The following example is non-standard PEM encoding of an HMAC symmetric secret key. The payload is base64-encoded random bytes that are the key material, with no extra encoding.
-----BEGIN HMAC SECRET KEY----- Pj/Vel...thB0U= -----END HMAC SECRET KEY-----
Run the following example command to create the key:
cat <<EOF -----BEGIN HMAC SECRET KEY----- $(head -c32 /dev/urandom | base64) -----END HMAC SECRET KEY----- EOF
Usage
{
"name": string,
"type": "PemPropertyFormat",
"config": {
"decryptionSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference
}
}
Properties
"decryptionSecretId"
: configuration expression<secret-id>, optional-
The secret ID for the secret to decrypt a PKCS#8 private key.
This secret ID must point to a GenericSecret.
"secretsProvider"
: SecretsProvider reference, required whendecryptionSecretId
is used-
The SecretsProvider to query for the decryption secret.
Example
You can find examples of use in Pass runtime data in a JWT signed with a PEM and Pass runtime data in a JWT signed and encrypted with a PEM.