Encrypted values and secrets
In some cases, you may need to pass sensitive data, such as tokens, credentials, and passwords, to the system. signageOS provides a mechanism to asymmetrically encrypt this data and store it in an encrypted form.
Currently, Applet/Timing configurations support the use of encrypted values. To learn more about this value type, read Env variables and configuration.
Prerequisites
Before you begin, ensure you have the following:
- A signageOS account.
- signageOS CLI installed.
- At least one organization set up in signageOS Box (create one here).
- A Tizen device with Tizen CA version
2.8.0-beta.2or newer - Secrets enabled for your company. Contact signageOS support to enable this feature.
- A terminal application (e.g., Shell, Gitbash, PowerShell, Windows Terminal, or Cmder).
- Generate and upload multifile applet with encrypted value type in configuration via SignageOS CLI. Read more about value types on Env variables and configuration and Generate Applet project.
Use via signageOS API
- Log in to Box and navigate to your company's detail page
https://box.signageos.io/company/{companyUid}. There you can find the public key for your company. You must be at least a company manager to access this page. - Download jose library (or any other tool which produces same result)
- Use jose to encrypt your value
import { GeneralEncrypt, importSPKI } from 'jose';
const key = await importSPKI(<your public key>, 'RSA-OAEP-256');
const encodedMessage = new TextEncoder().encode(String(<value to encrypt>));
const jwe = await new GeneralEncrypt(encodedMessage)
.setProtectedHeader({ enc: 'A256GCM' })
.addRecipient(key)
.setUnprotectedHeader({ alg: 'RSA-OAEP-256' })
.encrypt();
const encryptedValue = Buffer.from(JSON.stringify(jwe)).toString('base64'); - Create timing which deploy the applet to the targe device.
Use in Box
In Box, the process is much simpler, as encryption is handled automatically. Simply create a new Timing with the previously created applet and the appropriate configuration.
Use via device policy
Another way to use encrypted values is by configuring an applet through a device policy. Simply create a device policy, add your applet with the appropriate configuration as a policy item, and assign the policy to the target device(s).
You can create the device policy in either of two ways: via Box or the API.
Final step
If everything went well, the final step is to verify that the encrypted value is present on the device. If you can debug the device, check the console to confirm that sos.config object contains your encrypted value in its decrypted form. You can use this value in your applet or simply print it on the screen—it's up to you. The goal is to ensure that the original raw data is accessible.
Note that only the target device can decrypt the value using its own private key.
Encryption details
We use the RSA-OAEP-256 encryption algorithm to ensure that all values are securely encrypted. This algorithm provides strong cryptographic security for data protection. Our implementation uses an encryption length of 256 bits (or 32 bytes). This encryption approach is designed to meet the highest industry standards for data confidentiality and integrity.