Encrypting the Agent token – Linux (Red Hat)
Invicti Agent token encryption for Linux (Red Hat)
This document describes how to securely encrypt and store the Invicti Agent token on Linux-based systems.
Unlike Windows, which uses DPAPI for encryption, Linux environments typically rely on GnuPG (gpg) or OpenSSL to protect sensitive credentials.
The objective is to prevent unauthorized access to the Invicti Agent token, particularly in multi-user or automated environments where filesystem access may be shared.
Prerequisites
- Linux system (Red Hat, CentOS, Fedora, etc.)
- Invicti Agent installed
- Secure shell (command line) access
- Administrative privileges (sudo)
- GnuPG (gpg) or OpenSSL installed:
sudo yum install gnupg openssl |
Step 1: Create a secure directory for token storage
Run these commands:
sudo mkdir -p /opt/invicti/agent-secure |
Step 2: Generate a GPG Key (if not already available)
You may use an existing personal key or create a dedicated service account key.
gpg --full-generate-key |
Follow the prompts:
- Choose RSA and RSA (default)
- Key size: 2048 or 4096
- Set an expiry period
- Provide user details
List keys to identify the KEY-ID:
gpg --list-keys |
Step 3: Encrypt the agent token
Assume your token is stored in agent_token.txt.
Encrypt with GPG:
gpg -e -r "<KEY-ID or email>" -o /opt/invicti/agent-secure/agent_token.gpg agent_token.txt |
Replace <KEY-ID or email> with your GPG identifier.
Immediately remove the plaintext file:
shred -u agent_token.txt |
Step 4: Decrypt and use the token in automation
To decrypt when the agent needs the token:
gpg -d /opt/invicti/agent-secure/agent_token.gpg > /opt/invicti/agent-secure/agent_token.txt |
After the token is used, securely delete it:
shred -u /opt/invicti/agent-secure/agent_token.txt |
For automation:
- Ensure the agent process owner has access to the GPG private key.
- Consider using an unattended key (no passphrase) for service accounts, but secure it carefully.
Alternative method: Encrypt with OpenSSL
If you prefer OpenSSL (password-based encryption):
Encrypt:
openssl enc -aes-256-cbc -salt -in agent_token.txt -out /opt/invicti/agent-secure/agent_token.enc |
Decrypt:
openssl enc -d -aes-256-cbc -in /opt/invicti/agent-secure/agent_token.enc -out /opt/invicti/agent-secure/agent_token.txt |
⚠️ For automation, store the password securely (e.g., in an environment variable or a secrets manager).
Step 5: Secure file permissions
Restrict token access to the Invicti Agent service user:
sudo chown agentuser:agentgroup /opt/invicti/agent-secure/agent_token.gpg |
Step 6: Integrate with agent startup
Modify the agent’s startup script to:
- Decrypt the token just-in-time.
- Pass it securely to the agent process.
- Immediately remove any plaintext file after use.
Security considerations
- Never store the plaintext token longer than necessary.
- Restrict file and directory permissions to the agent service user only.
- Ensure your GPG private key is secure and inaccessible to unauthorized users.
- With OpenSSL, avoid hard-coding passwords in scripts.
- For enterprise deployments, integrate with a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager).
FAQ
Q: Can I use a hardware security module (HSM) or a secrets manager?
A: Yes, HSMs or enterprise secret managers (Vault, AWS Secrets Manager, Azure Key Vault, etc.) are recommended for stronger protection.
Q: What if my agent runs in a container?
A: Use container-native secret mechanisms, such as Docker Secrets or Kubernetes Secrets, to inject the token at runtime instead of storing it on disk.
✅ With this setup, your Invicti Agent token is encrypted at rest and only exposed in memory when needed, significantly reducing the risk of compromise.