Encrypted Variables

Encrypted variables can be used within streams or preferences to dynamically replace a key with its encrypted value. Unencrypted alternatives to these variables are Store Variables or Temporary Variables.

Variables can be applied to any node input where sensitive strings—such as tokens or authentication credentials—are required, ensuring that the actual value is never exposed in an unencrypted state.

Encrypted Variables

To retrieve the still-encrypted value of a key, the wildcard {helmut.encrypted.variable.?} must be used. When this wildcard is used, the value will not be displayed in plain text, making it impossible to extract the actual secret.

Actual set value is ABCD .. XYZ

Right now only the Vidicore nodes are able to encrypt the variable directly

In order to obtain the actual value, the variable needs to be processed via the Preferences API endpoint.

Set Encryption Key in Stack

Within your stack, you need to add a new parameter for the preferences container. Simply extend the existing environment configuration with:

--encryption.key='mySecret'

Keep in mind that if you share a stream, or perform a backup and restore on another system, the value may not be resolvable if the encryption keys differ.

preferences:
    image: repo.moovit24.de:443/mcc_preferences:4.10.3.0
    # removed entrypoint, volume, network and co for better visability
    environment:
      parameters: 
        --spring.data.mongodb.host=mongodb
        --spring.rabbitmq.host=rabbitmq
        --mcc.fx.url=http://fx:8100/v1/fx
        --mcc.co.url=http://co:8101/v1/co
        --mcc.io.url=http://io:8102/v1/io
        --mcc.hk.url=http://hk:8103/v1/hk
        --mcc.users.url=http://users:8000/v1/members
        --mcc.stream.url=http://streams:8001/v1/streams
        --mcc.preference.url=http://preferences:8002/v1/preferences
        --mcc.metadata.url=http://metadata:8003/v1/metadata
        --mcc.logging.url=http://logging:8004/v1/logging/helmut
        --mcc.amqp.url=http://amqp:8005/v1/amqp/send
        --mcc.license.url=http://license:8006/v1/license
        --mcc.language.url=http://language:8007/v1/language
        --mcc.cronjob.url=http://cronjob:8008/v1/cronjob

Example

If the bearer token of a third-party application is needed for HTTP communication, an encrypted variable can be used.

The actual token value will remain hidden in both the debugger and the node configuration, while execution will still correctly resolve and use the value.

Last updated