netbox-community-netbox/docs/rest-api/working-with-secrets.md

# Working with Secrets

As with most other objects, the REST API can be used to view, create, modify, and delete secrets. However, additional steps are needed to encrypt or decrypt secret data.

## Generating a Session Key

In order to encrypt or decrypt secret data, a session key must be attached to the API request. To generate a session key, send an authenticated request to the `/api/secrets/get-session-key/` endpoint with the private RSA key which matches your [UserKey](../../core-functionality/secrets/#user-keys). The private key must be POSTed with the name `private_key`.

```no-highlight
$ curl -X POST http://netbox/api/secrets/get-session-key/ \
-H "Authorization: Token $TOKEN" \
-H "Accept: application/json; indent=4" \
--data-urlencode "private_key@<filename>"
```

```json
{
    "session_key": "dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
}
```

!!! note
    To read the private key from a file, use the convention above. Alternatively, the private key can be read from an environment variable using `--data-urlencode "private_key=$PRIVATE_KEY"`.

The request uses the provided private key to unlock your stored copy of the master key and generate a temporary session key, which can be attached in the `X-Session-Key` header of future API requests.

## Retrieving Secrets

A session key is not needed to retrieve unencrypted secrets: The secret is returned like any normal object with its `plaintext` field set to null.

```no-highlight
$ curl http://netbox/api/secrets/secrets/2587/ \
-H "Authorization: Token $TOKEN" \
-H "Accept: application/json; indent=4"
```

```json
{
    "id": 2587,
    "url": "http://netbox/api/secrets/secrets/2587/",
    "device": {
        "id": 1827,
        "url": "http://netbox/api/dcim/devices/1827/",
        "name": "MyTestDevice",
        "display_name": "MyTestDevice"
    },
    "role": {
        "id": 1,
        "url": "http://netbox/api/secrets/secret-roles/1/",
        "name": "Login Credentials",
        "slug": "login-creds"
    },
    "name": "admin",
    "plaintext": null,
    "hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",
    "tags": [],
    "custom_fields": {},
    "created": "2017-03-21",
    "last_updated": "2017-03-21T19:28:44.265582Z"
}
```

To decrypt a secret, we must include our session key in the `X-Session-Key` header when sending the `GET` request:

```no-highlight
$ curl http://netbox/api/secrets/secrets/2587/ \
-H "Authorization: Token $TOKEN" \
-H "Accept: application/json; indent=4" \
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
```

```json
{
    "id": 2587,
    "url": "http://netbox/api/secrets/secrets/2587/",
    "device": {
        "id": 1827,
        "url": "http://netbox/api/dcim/devices/1827/",
        "name": "MyTestDevice",
        "display_name": "MyTestDevice"
    },
    "role": {
        "id": 1,
        "url": "http://netbox/api/secrets/secret-roles/1/",
        "name": "Login Credentials",
        "slug": "login-creds"
    },
    "name": "admin",
    "plaintext": "foobar",
    "hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",
    "tags": [],
    "custom_fields": {},
    "created": "2017-03-21",
    "last_updated": "2017-03-21T19:28:44.265582Z"
}
```

Multiple secrets within a list can be decrypted in this manner as well:

```no-highlight
$ curl http://netbox/api/secrets/secrets/?limit=3 \
-H "Authorization: Token $TOKEN" \
-H "Accept: application/json; indent=4" \
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="
```

```json
{
    "count": 3482,
    "next": "http://netbox/api/secrets/secrets/?limit=3&offset=3",
    "previous": null,
    "results": [
        {
            "id": 2587,
            "plaintext": "foobar",
            ...
        },
        {
            "id": 2588,
            "plaintext": "MyP@ssw0rd!",
            ...
        },
        {
            "id": 2589,
            "plaintext": "AnotherSecret!",
            ...
        },
    ]
}
```

## Creating and Updating Secrets

Session keys are required when creating or modifying secrets. The secret's `plaintext` attribute is set to its non-encrypted value, and NetBox uses the session key to compute and store the encrypted value.

```no-highlight
$ curl -X POST http://netbox/api/secrets/secrets/ \
-H "Content-Type: application/json" \
-H "Authorization: Token $TOKEN" \
-H "Accept: application/json; indent=4" \
-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk=" \
--data '{"device": 1827, "role": 1, "name": "backup", "plaintext": "Drowssap1"}'
```

```json
{
    "id": 6194,
    "url": "http://netbox/api/secrets/secrets/9194/",
    "device": {
        "id": 1827,
        "url": "http://netbox/api/dcim/devices/1827/",
        "name": "device43",
        "display_name": "device43"
    },
    "role": {
        "id": 1,
        "url": "http://netbox/api/secrets/secret-roles/1/",
        "name": "Login Credentials",
        "slug": "login-creds"
    },
    "name": "backup",
    "plaintext": "Drowssap1",
    "hash": "pbkdf2_sha256$1000$J9db8sI5vBrd$IK6nFXnFl+K+nR5/KY8RSDxU1skYL8G69T5N3jZxM7c=",
    "tags": [],
    "custom_fields": {},
    "created": "2020-08-05",
    "last_updated": "2020-08-05T16:51:14.990506Z"
}
```

!!! note
    Don't forget to include the `Content-Type: application/json` header when making a POST or PATCH request.
Reset documentation hierarchy 2020-03-05 17:23:56 -05:00			`# Working with Secrets`

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`As with most other objects, the REST API can be used to view, create, modify, and delete secrets. However, additional steps are needed to encrypt or decrypt secret data.`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Reset documentation hierarchy 2020-03-05 17:23:56 -05:00			`## Generating a Session Key`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
fixed broken links 2019-09-28 00:41:09 -04:00			In order to encrypt or decrypt secret data, a session key must be attached to the API request. To generate a session key, send an authenticated request to the `/api/secrets/get-session-key/` endpoint with the private RSA key which matches your [UserKey](../../core-functionality/secrets/#user-keys). The private key must be POSTed with the name `private_key`.
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```no-highlight
			`$ curl -X POST http://netbox/api/secrets/get-session-key/ \`
			`-H "Authorization: Token $TOKEN" \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Accept: application/json; indent=4" \`
			`--data-urlencode "private_key@<filename>"`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```

			```json
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`{`
			`"session_key": "dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="`
			`}`
			```

			`!!! note`
			To read the private key from a file, use the convention above. Alternatively, the private key can be read from an environment variable using `--data-urlencode "private_key=$PRIVATE_KEY"`.

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			The request uses the provided private key to unlock your stored copy of the master key and generate a temporary session key, which can be attached in the `X-Session-Key` header of future API requests.
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Reset documentation hierarchy 2020-03-05 17:23:56 -05:00			`## Retrieving Secrets`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
			A session key is not needed to retrieve unencrypted secrets: The secret is returned like any normal object with its `plaintext` field set to null.

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```no-highlight
			`$ curl http://netbox/api/secrets/secrets/2587/ \`
			`-H "Authorization: Token $TOKEN" \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Accept: application/json; indent=4"`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```

			```json
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`{`
			`"id": 2587,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/secrets/secrets/2587/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"device": {`
			`"id": 1827,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/dcim/devices/1827/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"name": "MyTestDevice",`
			`"display_name": "MyTestDevice"`
			`},`
			`"role": {`
			`"id": 1,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/secrets/secret-roles/1/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"name": "Login Credentials",`
			`"slug": "login-creds"`
			`},`
			`"name": "admin",`
			`"plaintext": null,`
			`"hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"tags": [],`
			`"custom_fields": {},`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"created": "2017-03-21",`
			`"last_updated": "2017-03-21T19:28:44.265582Z"`
			`}`
			```

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			To decrypt a secret, we must include our session key in the `X-Session-Key` header when sending the `GET` request:
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```no-highlight
			`$ curl http://netbox/api/secrets/secrets/2587/ \`
			`-H "Authorization: Token $TOKEN" \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Accept: application/json; indent=4" \`
			`-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```

			```json
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`{`
			`"id": 2587,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/secrets/secrets/2587/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"device": {`
			`"id": 1827,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/dcim/devices/1827/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"name": "MyTestDevice",`
			`"display_name": "MyTestDevice"`
			`},`
			`"role": {`
			`"id": 1,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"url": "http://netbox/api/secrets/secret-roles/1/",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"name": "Login Credentials",`
			`"slug": "login-creds"`
			`},`
			`"name": "admin",`
			`"plaintext": "foobar",`
			`"hash": "pbkdf2_sha256$1000$G6mMFe4FetZQ$f+0itZbAoUqW5pd8+NH8W5rdp/2QNLIBb+LGdt4OSKA=",`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"tags": [],`
			`"custom_fields": {},`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"created": "2017-03-21",`
			`"last_updated": "2017-03-21T19:28:44.265582Z"`
			`}`
			```

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`Multiple secrets within a list can be decrypted in this manner as well:`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```no-highlight
			`$ curl http://netbox/api/secrets/secrets/?limit=3 \`
			`-H "Authorization: Token $TOKEN" \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Accept: application/json; indent=4" \`
			`-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk="`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```

			```json
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`{`
			`"count": 3482,`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"next": "http://netbox/api/secrets/secrets/?limit=3&offset=3",`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"previous": null,`
			`"results": [`
			`{`
			`"id": 2587,`
			`"plaintext": "foobar",`
			`...`
			`},`
			`{`
			`"id": 2588,`
			`"plaintext": "MyP@ssw0rd!",`
			`...`
			`},`
			`{`
			`"id": 2589,`
			`"plaintext": "AnotherSecret!",`
			`...`
			`},`
			`]`
			`}`
			```

Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`## Creating and Updating Secrets`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			Session keys are required when creating or modifying secrets. The secret's `plaintext` attribute is set to its non-encrypted value, and NetBox uses the session key to compute and store the encrypted value.
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```no-highlight
			`$ curl -X POST http://netbox/api/secrets/secrets/ \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Content-Type: application/json" \`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`-H "Authorization: Token $TOKEN" \`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`-H "Accept: application/json; indent=4" \`
			`-H "X-Session-Key: dyEnxlc9lnGzaOAV1dV/xqYPV63njIbdZYOgnAlGPHk=" \`
			`--data '{"device": 1827, "role": 1, "name": "backup", "plaintext": "Drowssap1"}'`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			```

			```json
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`{`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"id": 6194,`
			`"url": "http://netbox/api/secrets/secrets/9194/",`
			`"device": {`
			`"id": 1827,`
			`"url": "http://netbox/api/dcim/devices/1827/",`
			`"name": "device43",`
			`"display_name": "device43"`
			`},`
			`"role": {`
			`"id": 1,`
			`"url": "http://netbox/api/secrets/secret-roles/1/",`
			`"name": "Login Credentials",`
			`"slug": "login-creds"`
			`},`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`"name": "backup",`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			`"plaintext": "Drowssap1",`
			`"hash": "pbkdf2_sha256$1000$J9db8sI5vBrd$IK6nFXnFl+K+nR5/KY8RSDxU1skYL8G69T5N3jZxM7c=",`
			`"tags": [],`
			`"custom_fields": {},`
			`"created": "2020-08-05",`
			`"last_updated": "2020-08-05T16:51:14.990506Z"`
Added API doc for working with secrets 2017-03-21 16:00:02 -04:00			`}`
			```

			`!!! note`
Finished updating REST API documentation 2020-08-05 13:40:06 -04:00			Don't forget to include the `Content-Type: application/json` header when making a POST or PATCH request.