A rescue utility to decrypt proxies and shared flows taken directly from an apigee-runtime pod in an encrypted form.
Imagine, your trial Apigee hybrid organisation was deleted. The only thing that's left is a running runtime.
No need to panic.
-
Log into any apigee-runtime pod
-
Read the value of an $CONTRACT_ENCRYPT_KEY_PATH environment variable
echo "$CONTRACT_ENCRYPT_KEY_PATH"
It points to a file that contains base64-encoded artefact encryption key.
For 1.3.x and 1.4.x it will be
/etc/encryption/plainTextDEK -
Read the encoded key value
cat "$CONTRACT_ENCRYPT_KEY_PATH" -
tar/gz contents of the
/opt/apigee/apigee-runtime/data/directory.tar -czvf /tmp/data-backup.tar.gz -C /opt/apigee/apigee-runtime/data .
-
Clone the utility and add its directory to a PATH
-
Define the key as a variable so that you don't need to show it off during utility invocation
export KEY="<your-encoded-key>"
-
Untar the file to any working directory
-
In the working directory, execute
decrypt-folder-tree.sh "$KEY" <source-dir> <target-dir> &> log.log
The utility will traverse the <source-dir> directory and will replicate the directory structure and decrypted files into the <target-dir> directory.
-
Zip each folder and import/deploy them into an Apigee hybrid org.
How to: manually zip up an API Proxy bundle into something that can be imported to Apigee Edge
-
Now it's time to reconsider your approach to using Apigee as a Version Control System.
The following community articles are a good starting points:
-
Revisit every proxy folder and put it into a source control system of your choice.
How to decrypt a single file only
Assuming $KEY env variable contains the base64 encoded key, execute
# decode the encoded key to a steam of bytes
K=$(echo "$KEY"|base64 -d |hexdump -ve '1/1 "%.2x"')
# calculate the key length for a correct cypher invocation
KEYLENGTH=$(( $(echo -n "$K" | wc -m) / 2 * 8 ))
# Process the file output a result at stdout
openssl enc -d -aes-$KEYLENGTH-ecb -K "$K" -in <encrypted-file>