4. ❑ For many reason :
⮚ There is many keepassxc file on the drive and this is safer to have a single
access to all secrets (this is more difficult to leave NN6 with all secrets) :
WHY
4
5. ❑ To avoids secret in ANY script (local, gitlab-ci, jenkins, …. )
WHY
5
7. ❑ One single URL for all ENENSYS :
⮚ https://passbolt.enensys.com
⮚ https://passbolt.enensys.com/auth/login?redirect=%2Fapp%2Fusers&locale
=fr-FR
URL
7
8. SIGN IN PROCESS
8
To access to the PASSBOLT appliance, you
must be invited by the admin.
If so, you will receive such email 🡪
10. ❑ Store the private key preciously inside your local
keepassxc because you will need it if you migrate
your environment to another computer or for
command line !
SIGN IN PROCESS
10
$ cat private2.txt
-----BEGIN PGP PRIVATE KEY BLOCK-----
xcTGBGRKlCgBDADxZFP++5zvD7YLLZakyu3InA1IANazb/XpTvJwGWeXcbNL
aBChr3VPgUYQ1TtAE7R0FlS9oukSP4QQrfV1Crgab33fIar69bvRCZZo0iFZ
s/JEOvqEkY/pGsXQZaoJX91qHP6e5tG71K+e5aC+oHa3Dppdhurnrjk5fCdy
0ccSO64YwAlgdrap+hE1m4rbjkgzER9YXimePLO+hqyJJ3atDwIird0J763b
EDQJ3dIy9zYbWU3eIkwDON9SK1l/DMzFc9gYPpJmCFaxlRTdqtAAeuKPD9BD
kYy/LyywKbVbU7ZH90zgL+OGEV1iFe7x7N1CHWzzIqN5AKpfGAeI6UWL/F4F
3hgau3hJmuJEEz70VM82ll/QKmgoSJJNxejtomJICqT+mD/HM2OW3N7FnZG7
3CbqcvHcl2Y6ov/KF1omd2h4r/HuC3rDBgJS1T3D16P4V9cBsCsnZxcdqd1L
A50xeW2Nws7Vqg7OTJC+8p8MFkxnE9GvxS6Wz0J29dHa1esAEQEAAf4JAwio
6hzUGjUVjeA0MxpBAdSeJczZTUuy3DZ2nwRG6N5XARGasQ3EH4azRpNi2iOM
oZEVwmTFYVE27ZVn4Rds9HSTSk6XHUguuXn3Tin6jpmDH5FlpubxRq23+UOS
HH6o3jhGhtYSRxvHq95vCMg6bS9bGKgyv/cvl8RjoU+Js/mOcw9kVe1KGuTE
Mo4gjmfxSS9MejBCby7Hi3tRwaGFbe9cjK2JeMSmZoDkUPzVyfFcIRamxiKT
C/d2ZoOLzOqQyXPMWQItdhMs+/ULlhLaulrFfoU4TRa8fWz4XSoN1F5Tuc3b
zsj5zrgH4K15p1vTFs4krT3UY9hYSDklIMm2RaFJx7UQaBX9iN2kvnGrOlXc
qZ+/2mSB1c4IoZMUJb2Iz0BW1W2VsKGnJ4lXfBguN1AYdB+HXOjjXMhUaFii
R+guRagxDNLPNLsDIOfd8z6KTAUJ/t+D9lEtU6+wNWz7eUgNiI/rnbIHT2HN
8esH8E29HdCZMJmnTnDZ5Xo8EFw+MuunII4buLUy/WUpO2eMenzS/1h2nxbD
n9O3NRmXJrvxsGmMkADc2LNg4/Bx8g21vZATiFFVKtomRqdhbOW/D0Ro3lfo
qSU5RBNtd9vlwf3V00CifeX4LcqOCLXtd36awtUtTArdkIRBtcVQ5nDVA2qA
(…)
-----END PGP PRIVATE KEY BLOCK-----
55. ❑ For that purpose you will need several items :
❑ The URL of the passbolt instance/server
❑ Your user password
❑ Your user private pgp key saved in a private_key.txt file
55
56. ❑ Website : https://github.com/passbolt/go-passbolt-cli/releases/
GNU/Linux : wget https://github.com/passbolt/go-passbolt-
cli/releases/download/v0.1.9/go-passbolt-cli_0.1.9_linux_amd64.deb
&& sudo ./dpkg -i go-passbolt-cli_0.1.9_linux_amd64.deb
Windows : wget https://github.com/passbolt/go-passbolt-
cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_Windows_arm64.zip
Mac OS X : wget go-passbolt-cli_0.2.0_Darwin_x86_64.tar.gz
go-passbolt-cli
56
57. $ passbolt --help
A CLI tool to interact with Passbolt.
Usage:
passbolt [command]
Available Commands:
configure Configure saves the provided global flags to the Config File
create Creates a Passbolt Entity
delete Deletes a Passbolt Entity
export Exports Passbolt Data
get Gets a Passbolt Entity
help Help about any command
list Lists Passbolt Entitys
move Moves a Passbolt Entity
share Shares a Passbolt Entity
update Updates a Passbolt Entity
verify Verify Setup the Server Verification
HELP
57
Flags:
--config string Config File
--debug Enable Debug Logging
-h, --help help for passbolt
--mfaDelay duration Delay between MFA Attempts, only used in
noninteractive modes (default 10s)
--mfaMode string How to Handle MFA, the following Modes
exist: none, interactive-totp and noninteractive-totp (default "interactive-
totp")
--mfaRetrys uint How often to retry TOTP Auth, only used in
nointeractive modes (default 3)
--serverAddress string Passbolt Server Address
(https://passbolt.example.com)
--timeout duration Timeout for the Context (default 1m0s)
--totpOffset duration TOTP Generation offset only used in
noninteractive-totp mode
--totpToken string Token to generate TOTP's, only used in
nointeractive-totp mode
--userPassword string Passbolt User Password
--userPrivateKey string Passbolt User Private Key
--userPrivateKeyFile string Passbolt User Private Key File, if set then
the userPrivateKey will be Overwritten with the File Content
Use "passbolt [command] --help" for more information about a command.
$ passbolt action entity [arguments]
Action is the Action you want to perform like Creating, Updating or Deleting an Entity. Entity is a Resource(Password), Folder, User or Group that
you want to apply an action to.
58. PASSBOLT(1)
NAME
passbolt - A CLI tool to interact with Passbolt.
SYNOPSIS
passbolt [flags]
DESCRIPTION
A CLI tool to interact with Passbolt.
OPTIONS
--config="" Config File
--debug[=false] Enable Debug Logging
-h, --help[=false] help for passbolt
--mfaDelay=10s Delay between MFA Attempts, only used in noninteractive modes
--mfaMode="interactive-totp" How to Handle MFA, the following Modes exist: none, interactive-totp and
noninteractive-totp
MAN
58
--mfaRetrys=3 How often to retry TOTP Auth, only used in
nointeractive modes
--serverAddress="" Passbolt Server Address
(https://passbolt.example.com)
--timeout=1m0s Timeout for the Context
--totpOffset=0s TOTP Generation offset only used in
noninteractive-totp mode
--totpToken="" Token to generate TOTP's, only used in
nointeractive-totp mode
--userPassword="" Passbolt User Password
--userPrivateKey="" Passbolt User Private Key
--userPrivateKeyFile="" Passbolt User Private Key File, if set then
the userPrivateKey will be Overwritten with the File Content
59. ❑ $ passbolt configure
--serverAddress https://passbolt.enensys.com
--userPassword ")/.u#6e*tCU*Z:mC62z%UTX'9[KV5Trge]}z%bc"
--userPrivateKeyFile ./private_key.txt
$ echo $?
0
❑ This is also possible to inject the private key as variable using the --
userPrivateKey parameter.
Login to passbolt
59
60. ❑ $ passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a
FolderParentID: 71679db1-bd72-403a-aa72-d6b7145a0208
Name: srv127 - LDAP server
Username: root
URI:
Password: Nxx4f37rLEvM8qWBtDhh
Description: mot de passe admin ldapd7NrZSU2AKidFZ-w3hv
Get secret
60
mypassword
61. $ passbolt list user
ID | Username | FirstName | LastName | Role 8f2154c9-89ed-4ab0-9630-
701b45fb252e | antonio.dubuisson@enensys.com | Antonio | DUBUISSON | user ccaf58ef-50d6-4db1-8f8f-
d875a8e00107 | benjamin.glaud@enensys.com | Benjamin | GLAUD | user 52300540-9d6a-4433-85e5-
07b5f85a6de4 | bertrand.guinebault@enensys.com | Bertrand | GUINEBAULT | user 0edfaa97-1c00-46d7-a488-
7f73a5f3ae81 | it@enensys.com | IT | Team | admin6e779dbe-e43f-4c62-b3df-
42372c87cde6 | thierry.gayet@enensys.com | Thierry | GAYET | user
List users
61
64. ❑ User : passbolt.gitlab@enensys.com
(ONLY this user must be used within GITLAB-CI !)
GITLAB
64
I centralize the password and private key ; please ask me for them !
66. image: ubuntu:latest
stages: # List of stages for jobs, and their order of execution
- build
build-job: # This job runs in the build stage, which runs first.
stage: build
script:
- echo « First stage
- apt update
- apt install wget -y
- wget https://github.com/passbolt/go-passbolt-cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_linux_amd64.deb
- dpkg -i ./go-passbolt-cli_0.2.0_linux_amd64.deb
- echo $PASSBOLT_URL
- echo $USER_PASSPHRASE
- echo $USER_PRIVATE_KEY_FILE
- passbolt configure --serverAddress $PASSBOLT_URL --userPassword $USER_PASSPHRASE --userPrivateKeyFile $USER_PRIVATE_KEY_FILE
- passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a
GITLAB-CI.yml
66
https://gitlab.enensys.com/training/devsecops/test-ci/-/ci/editor?branch_name=main
🡪 Just a simple example that show how to extract secret
from a gitlab-ci
69. ❑ User : passbolt.jenkins@enensys.com
(ONLY this user must be used within JENKINS jobs !)
❑ Jenkins will be usable with the same way as GITLAB !
JENKINS
69
70. ❑ Within jenkins, credentials have been created in order to be able to
extract secrets :
http://jenkins.enensys.com/manage/credentials/store/system/domain/_/
❑ Indeed, passbolt need a password and a private key for extracting ressource from
passbolt.
70
JENKINS
71. ❑ We can update the jenkins file :
(…)
environment
{
PASSBOLT_JENKINS_PASSWORD = credentials('11483a19-5b91-406f-bc6c-81b17952aa67')
PASSBOLT_JENKINS_PRIVATE_KEY = credentials('a649027d-e96c-4d55-aedf-0d5d64d3f38e')
}
(…)
❑ Then, inside a script we can # --- Getting Key from passbolt as file :
@echo "--> Getting certificate from the NN6 passbolt ... "
passbolt configure
--serverAddress https://passbolt.enensys.com
--userPassword ${PASSBOLT_JENKINS_PASSWORD}
--userPrivateKey ${PASSBOLT_JENKINS_PRIVATE_KEY}
KEY_TXT="`passbolt get resource --id ab56dd91-0af4-41f7-8d0c-7f5ce816a796|grep Password|awk '{ print $2 }'`"
@echo ${KEY_TXT} > $(TARGET_DIR)/var/external_resources/key.txt
71
JENKINS
72. ❑ We can check the credential in the jenkins’s console :
72
JENKINS