Automating the Encryption of the settings.xml file in service fabric using TFS automation build

1
votes

I need to encrypt some of the Sections/Parameter values in the settings.xml file in my service fabric application. We currently have a build process set up in TFS to kick off the build and want to incorporate the encryption of values in this process when we roll this out to production. I have read "Managing secrets in Service Fabric Applications" and it goes over the steps to encrypt:

  1. Obtain a data encipherment certificate
  2. Install the cert in your cluster
  3. Encrypt the secret values when deploying the application with the cert and inject them into a service's settings.xml configuration file
  4. Read the encrypted values out of the Settings.xml by decrypting the same encipherment certificate.

I can see that we can override the parameters in the XML file using the MustOverride attribute and providing the name and value for the parameter in the ApplicationManifest.xml file.

Does anyone know how or can link me to an article that can do this process in the TFS build process? I am looking for a oneclick type of deployment that our deployment team (none of them programmers) can use to move this out to production. I understand what must be done, I just don't see the steps needed to modify our service fabric programs and build to utilize this process.

1
azureencryptionservicetfsazure-service-fabric
which build are you using the old xaml build or vNext build ?PatrickLu-MSFT
We are using the vNext build process.john

1 Answers

4
votes

Here is how I was able to do the encryption and decryption in Service Fabric without the Azure Key Vault. Since the data we were encrypting was not changing the decision was to encrypt the values with the certificate and place the values into the correct xml files.

  1. Generate or obtain a X509 certificate. Make sure that the KeyUsage has "DataEncipherment" indicated this is critical to encryption of data
  2. Get the thumbprint for the certificate. You can get this in your MMC certificates plugin.
  3. Using powershell, encrypt the text using the Invoke-ServiceFabricEncryptedText function in powershell. Use the thumbprint from the cert to encrypt the text. This will create an encryption of the text that contains a base 64-bit string that contains the secret ciphertext as well as the information about the certificate used to encrypt it. This is critical! Also, it is a good idea to run the Inoke-ServiceFabricDecryptText method on the encrypted string using the certificate to ensure it decrypts fine.
  4. Now comes the fun part, putting this into all the XML files in the correct way to get this to work. (This is where it gets messy).
  5. First you need to modify the settings.xml file. The parameter that you want to be encrypted needs to be set to IsEncrypted="true" Value="" and MustOverride="true".
  6. Next you need to declare the override parameter in the ApplicationManifest.xml file. Make sure the parameter name in the application manifest is the same as in the settinss. Set the Name of the parameter in the Parameters section in the applicationmanifest.xml file and set the value = "".
  7. In the ConfigurationOverride section where you have the Parameter name referenced, set the value to the Parameter in the parameters section. Currently this will be blank, also set the IsEncrypted="true".
  8. This is where I got stuck. All this other information was readily available, this next section wasn't. Next in the ApplicationParameters folder under your project, select the XML file used when you publish to your service fabric. This is were you will place the encrypted value. Create a Parameter in this section, set the name to the name you gave in your ApplicationManifest and set the value to the encrypted value generated from the certificate.

When you deploy this parameter will be passed in as an encrypted value. To use it in code you need to make sure you refernece the DecryptValue. For example:

var decryptedPassword= configurationPackage.Settings.Sections["sectionname"].Parameters["ConnectionString"].DecryptValue();

This will generate a SecureString that you can use throughout your code. I converted the value to a string using one of many references on how to convert SecureString to string available online.

That's it. I hope this helps someone else that is not using the Azure Key Vault to secure secrets.