My context is that I am using jwt token flow to connect to SF in bitbucket pipeline. I have been able to correctly generate a certificate and key etc as required. I tested the key it is working fine. Next step was to add security, and did not wanted to store my key in the project, thus I encrypted the key like this :
openssl enc -nosalt -aes-256-cbc -in server.key -out server.key.enc -base64 -K <key-value> -iv <iv-value>
Now I am storing the encrypted server.key.enc file in my project and then stored the key and iv value as protected bitbucket variables (DECRYPTION_KEY and DECRYPTION_IV)
Now before login to the org, I need to decrypt the server.key.enc to server.key so that I can use this file to login, but when doing so using following cmd, it is not working properly :
openssl enc -nosalt -aes-256-cbc -d -in key/server.key.enc -out key/server.key -base64 -K $DECRYPTION_KEY -iv $DECRYPTION_IV
The server.key file has only the header malformed but the footer is well generated
EXPECTED :
-----BEGIN RSA PRIVATE KEY-----
...........
-----END RSA PRIVATE KEY-----
GOT :
-��}�5��n�S�*��RIVATE KEY-----
...........
-----END RSA PRIVATE KEY-----
Thus my pipeline finish with following error : ERROR running auth:jwt:grant: We encountered a JSON web token error, which is likely not an issue with Salesforce CLI. Here’s the error: error:0909006C:PEM routines:get_name:no start line
It seems like I missing a small parameter somewhere, but could not locate where.
As suggested by Topaco, I tried another simpler way to encrypt and decrypt :
Encrypt:
openssl aes-256-cbc -a -salt -pbkdf2 -in server.key -out server.key.enc -k <password>
Decrypt:
openssl aes-256-cbc -d -a -pbkdf2 -in server.key.enc -out server.key -k <password>
as mentioned here : How to use OpenSSL to encrypt/decrypt files?
And it works better