Updating Credentials in an Encrypted Key Value Map

Want to use Edge’s encrypted Key Value Map (KVM) to store credentials for target systems? Do you need to rotate the passwords?

Recently a customer they asked a simple question. Is it possible for us to encrypt data that we put into the KVM such that Edge can automatically decrypt the data. (Essentially, can they access or manage the keys Edge uses for encryption.) Upon digging a bit deeper the use case was for changing passwords, where the team that creates the new passwords wanted to email an encrypted copy of the password for the Edge administrator to update the KVM.

There are a couple of ways to solve for this use case:


1. Use the Edge APIs

This is probably the simplest solution. You can have the tool that is creating the new password call the API directly to modify the password within Edge. This method allows Edge to manage the encryption keys while reducing the need for human intervention.

Below is a sample payload for the API, assuming you are updating a key named targetPassword with a value of secret1.

{
  "name" : "targetPassword",
  "value" : "secret1"
}

This is the complete curl for that API call.

curl -X POST --header "Content-Type: application/json" --header "Authorization: Basic {your_auth}==" -d "{
  \"name\" : \"targetPassword\",
  \"value\" : \"secret1\"
}
" "https://api.enterprise.apigee.com/v1/organizations/{your_org}/environments/{your_environment}/keyvaluemaps/{your_kvm_name}/entries/{your_kvm_key_name}"

Documentation on this API can be found here

2. Use a custom encryption scheme

If you have a need to manage your own encryption keys, you will need to implement your own encryption scheme. You can still use a KVM to store the values. You will need to have a method of encrypting the values before you place them in the KVM. You will also need to write a bit of custom code in Edge (e.g. java callout) to decrypt the values.

In this way you completely manage the encryption keys, strength, etc.

While this particular use case was related to passwords, the options discussed hold true for any type of secret information you may want to store in a KVM.

Version history
Last update:
‎05-16-2017 03:18 PM
Updated by: