This sample app demonstrates how to use the IBM Key Protect service for Bluemix. A secret message has been encrypted for you in the secret message.txt
file. You can decrypt the secret message using secrets stored in your Key Protect service. Once you retrieve the secrets, the AES 256 encrypted secret message is revealed. To find out more about how the service works, go to the Bluemix docs.
This sample app shows how to directly interact with the service by using API calls to create, retrieve, and delete secrets.
- Python
2.7.x
- pip
1.5.x
-
Secrets are added to your Key Protect instance when the sample app starts running. In your normal development workflow, the secrets would already be in the service and the only thing provided would be the secret references.
-
Provide the required authentication information,
-
Push the app into Bluemix
-
The Decrypt the secret message! button appears.
-
Once you click the button, wait a few seconds for the keys to be retrieved from Key Protect. The app uses the keys to decrypt the
secret message.txt
file. -
The app reveals the unencrypted message in the UI. You may also view the message in the
revealed_msg.txt
file, which is created after pressing the button.
-
Create a Bluemix account. Sign up in Bluemix or use an existing account.
-
Download and install the Cloud Foundry CLI, which is used to interact with Bluemix from the command line.
-
In a terminal window, clone the app to your local environment using the following command.
git clone [email protected]/IBM-Bluemix/key-protect-helloworld-python.git
- In the newly created directory, edit the
manifest.yml
file and change the<application-name>
to something unique.
applications:
- path: .
memory: 256M
instances: 1
name: <application-name>
memory: 128M
The name you use determines your application URL initially, e.g. <application-name>.mybluemix.net
.
- Run the login command to connect to Bluemix.
cf api https://api.ng.bluemix.net
cf login -u <your_user_ID>
- Create an instance of the Key Protect service in Bluemix.
cf create-service ibm_key_management TieredPricing sample-key-protect-service
- Edit the
auth.json
file with your Bluemix user information.
{
"host": "ibm-key-protect.edge.bluemix.net",
"token": "Bearer <your token>",
"org": "<your Bluemix organization GUID>",
"space": "<your Bluemix space GUID>"
}
Fill in the blank values. You can retrieve these values using the Cloud Foundry CLI as described below.
- For
token
, run the following command to get your authorization token.
cf oauth-token
- For
org
, run the following command to get your Bluemix organization GUID. If you need to look up the name of your organization, you can runcf target
first.
cf org <your_organization_name> --guid
- For
space
, run the following command to get your Bluemix space GUID. If you need to look up the name of your space, you can runcf target
first.
cf space <your_space_name> --guid
- Push the sample app to Bluemix.
cf push
- Refer to this section to decrypt the message.
-
If you do not already have a Bluemix account, sign up for one.
-
Create a space under your Bluemix organization or use an existing space.
-
In terminal, clone the app to your local environment with the following command.
git clone [email protected]/IBM-Bluemix/key-protect-helloworld-python.git
- In the newly created directory, install the required dependencies.
pip install -r requirements.txt
- Run the login command to connect to Bluemix in the command line tool.
cf api https://api.ng.bluemix.net
cf login -u <your user ID>
- Create an instance of the Key Protect service in Bluemix.
cf create-service ibm_key_management TieredPricing sample-key-protect-service
- Edit the
auth.json
file with your Bluemix user information.
{
"host": "ibm-key-protect.edge.bluemix.net",
"token": "",
"org": "",
"space": ""
}
Fill in the blank values. You can retrieve these values using the Cloud Foundry CLI as described below.
- For
token
, run the following command to get your authorization token.
cf oauth-token
- For
org
, run the following command to get your Bluemix organization GUID. If you need to look up the name of your organization, you can runcf target
first.
cf org <your organization name> --guid
- For
space
, run the following command to get your Bluemix space GUID. If you need to look up the name of your space, you can runcf target
first.
cf space <your space name> --guid
- Run the
welcome.py
code.
python welcome.py
- The example is running on http://0.0.0.0:5001/. Refer to this section to decrypt the message.
The files below are used by the sample app to demonstrate how the service works. They are for the purposes of the sample app only, as the contents would generally be too sensitive to store openly.
File | Description |
---|---|
encryption_keys.json | Contains the keys used for encryption. Encryption keys can consist of a phrase or randomly generated value of anything desired. Encryption keys can be uploaded directly into the Key Protect service by a privileged user. |
iv.txt | Contains the initialization vector used in the AES algorithm to encrypt the secret message. The contents is usually directly uploaded into Key Protect service by a privileged user. |
secret message.txt | Holds the message that was encrypted using AES with the encryption_key.json and iv.txt files. |
welcome.py | Contains the code decrypting the secret message. |
If you find a bug, please report it via the Issues section. You may also fork the project and submit a pull request in order to fix any open issues. We are happy to accept external contributions.
This sample code is licensed under Apache 2.0. See the license file for more information.
This sample code uses jQuery, distributed under MIT license.