From 35f414ccf20e4881287848fcb9b562f3c975a793 Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Fri, 6 Mar 2020 16:00:41 -0500 Subject: [PATCH] clarify how AWX stores cerdentials --- docs/credentials/extract_credentials.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/credentials/extract_credentials.md b/docs/credentials/extract_credentials.md index 7234d56517..c769319200 100644 --- a/docs/credentials/extract_credentials.md +++ b/docs/credentials/extract_credentials.md @@ -1,11 +1,19 @@ -Extract credentials -=================== +Extracting Credential Values +============================ -Credentials and encrypted settings can be extracted using the following snippet: +AWX stores a variety of secrets in the database that are either used for automation or are a result of automation. These secrets include: + +- all secret fields of all credential types (passwords, secret keys, authentication tokens, secret cloud credentials) +- secret tokens and passwords for external services defined in Ansible Tower settings +- "password" type survey fields entries + +To encrypt secret fields, Tower uses AES in CBC mode with a 256-bit key for encryption, PKCS7 padding, and HMAC using SHA256 for authentication. + +If necessary, credentials and encrypted settings can be extracted using the AWX shell: ```python # awx-manage shell_plus >>> from awx.main.utils import decrypt_field >>> cred = Credential.objects.get(name="my private key") ->>> decrypt_field(cred, "ssh_key_data") +>>> print(decrypt_field(cred, "ssh_key_data")) ```