I seem to remember that when we set up our gpg solutions that passphrases were optional, so we decided to not use them. We couldn't think of a compelling reason to use them in a silent batch solution.
------------------------------
Pete
------------------------------
Original Message:
Sent: 08-19-2019 05:30 AM
From: Carsten Schmitz
Subject: Hiding a Variable value in Logs?
I don't know of any supported way to encrypt or remove variable resolution statements from logs or report and would be surprised if there is one.
You could certainly wipe the statements from the Automic logs as part of the job run e.g. using sed or perl, but that's just a dirty hack and also a major race condition, and altering the logs might or might not affect your support status if the logs are ever required for support cases. Altering the DB to wipe output from reports certainly would.
In general though, I'm a bit wary of automating pass phrase entry through Automic. Without even considering past or future potential security issues or other exposure scenarios in Automic, passing a pass phrase over an Automation tool usually means it's passed as a command line parameter to some process (i.e. your encryption tool). This usually means it's in the OS environment for that process, and this usually means any other job running as the same user can probably get to your pass phrase as well. I'm not saying this is impossible to secure, there's ways to pipe stuff to programs without exposing it to the process environment, but this whole cascade will not be trivial to get right.
After all, there's a reason tools will demand a pass phrase on stdin and not via command line, and the gpg man page for instance says: "Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it."
If you ARE using gpg, maybe consider "--passphrase-file". You'd still have a file with a pass phrase that somehow needs to be secured for the purpose (not sure if fully possible), but you wouldn't need to put your pass phrase into Automic.
Original Message:
Sent: 08-17-2019 10:02 AM
From: Darbyshire
Subject: Hiding a Variable value in Logs?
actually we have created jobs that encrypt and decrypt files we would like to hide some of the variables that contain pass phrase information.
Original Message:
Sent: 08-15-2019 11:20 AM
From: Pete Wirfs
Subject: Hiding a Variable value in Logs?
I suspect you are asking about how to encrypt and use passwords in a secure fashion.
We store our passwords in LOGIN objects, retrieve the encrypted password via the GET_LOGIN() function, and pass it to the command line through the &UC_JOBMD feature which processes the decrypted value but only displays the encrypted value.
https://docs.automic.com/documentation/webhelp/english/AA/12.3/DOCU/12.3/Automic%20Automation%20Guides/help.htm#Script/Reference/GET_LOGIN.htm?Highlight=UC_JOBMD
------------------------------
Pete
Original Message:
Sent: 08-15-2019 10:52 AM
From: Darbyshire
Subject: Hiding a Variable value in Logs?
Is there a way to encrypt a variable value so it does not show on the logs? Our need is to hide our values that we need for encryption and decryption jobs we have built in Automic.
------------------------------
Doug
------------------------------