Skip to main content

Credentials Protection

Every time credentials (secrets) are passed to the Encoding API, they can (and should) be passed in an encrypted form.

You pass various credentials to the Encoding API, including those for your input and output storage, message publishers, DRM. In all these cases you want to grant access to your resource only the Encoding Service and to avoid any man-in-the-middle to be able to see your credentials. Specifically, you don’t want to store your credentials as plain text in configuration files.

You protect the credentials by encrypting them with an asymmetric algorithm using an Axinom Encoding public key as the encryption key. Then you signalize to Axinom Encoding that your credentials are encrypted.

Credentials protection can be used in the following cases:

SectionActivationEncrypted Elements
Any Storage Provider"CredentialsProtection": "Encrypted"CredentialsSecret
Any Message Publisher"CredentialsProtection": "Encrypted"CredentialsSecret
DrmManaged"KeysProtection": "Encrypted"ManagementKey, KeySeed, Thumbprints
Caution

Axinom recommends to always use Credentials Protection in production scenarios.

Encrypting a secret using Axinom tool

The simplest way to encrypt a secret is using Credentials Protection Tool.

Credentials Protection Tool

screen-credentials-protection-tool

tip

The tool implements encryption in your browser, without sending any information you provide to any server.

Encrypting a secret programmatically

To encrypt a secret:

  1. Download the Encoding Service certificate using the Encoding API (GET /certificate) (the call requires authentication) and decode from base64
  2. Extract the public key from the certificate
  3. Encrypt the secret with the public key using the RSA algorithm and PKCS #1 padding
  4. Use the base64 encoded encrypted result instead of the original secret string
Example Code (C#)
// Read raw base64 text from file
var base64EncodedCert = await File.ReadAllTextAsync(@"path_to_file_with_base64_encoded_cert.txt");

// Convert it to bytes array
var certAsBytes = Convert.FromBase64String(base64EncodedCert);

// Create an X.509 certificate object from bytes
using var x509 = new X509Certificate2(certAsBytes);

// Get a reference to public key
using var rsa = x509.GetRSAPublicKey();

// Convert your credentials secret to a byte array
var password = "credentials secret";
var dataToEncrypt = Encoding.UTF8.GetBytes(password);

// Encrypt using RSA with PKCS #1 padding
var encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);

// Encode encrypted in base64
var base64Encoded = Convert.ToBase64String(encrypted);

Console.WriteLine(base64Encoded);

See also