JIRA Forge: Storing private keys securely

Hi team,

I want to allow JIRA Forge to safely store a rsa-2048 private key generated by us so that Forge can sign it as a JWT type and generate an assertion at runtime. But it seems that the forge variables are not allowing me to store something like this at the moment.

forge variables set --encrypt PRIVATE_KEY_USER_VAR "-----BEGIN RSA PRIVATE KEY...
Error: unknown option '-----BEGIN RSA PRIVATE KEY...
WrapperError: unknown option '-----BEGIN RSA PRIVATE KEY...
   at /usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:124:19
    at Command._exitCallback (/usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:42:44)
    at Command._exit (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:888:12)
    at Command._displayError (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1729:10)
    at Command.unknownOption (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1778:10)
    at checkForUnknownOptions (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1482:16)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1488:9)
    at Command._dispatchSubcommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1443:18)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1460:12)
    at Command._dispatchSubcommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1443:18)
    at Command._parseCommand (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1460:12)
    at Command.parse (/usr/local/lib/node_modules/@forge/cli/node_modules/commander/index.js:1292:10)
    at Command.parse (/usr/local/lib/node_modules/@forge/cli/out/command-line/command.js:182:22)
    at Object.exports.main (/usr/local/lib/node_modules/@forge/cli/out/command-line/index.js:64:20)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

What recommendations would you have? Thank you in advance.

Hi @DJO ,

Can you try calling forge variables set instead? This will prompt you to input values via CLI (if the value should be encrypted, what the variable key is, and what is the intended value). This should help you address the leading hyphens causing the command to treat the variable value as an option.



That worked, thanks @iragudo !

1 Like

@iragudo I have one more question while we are at this.

When we deploy this app to production, do we have to manually perform forge variables...? In the case we want to rotate keys, will we need to re-deploy the app?

Hi @DJO ,

I confirmed with the Forge team and here are the answers to your query:

Yes, since you are promoting the app to a different environment (production), you have to do this step.

There’s no need to re-deploy the app.

Hope this helps.



@iragudo When I do forge variables set, there is no prompt that asks me which workspace to install these environment variables to. How do I ensure I target to the right workspace, e.g. myworkspace.atlassian.net?

Hi, @DJO . If you’re asking how to select a specific site for an environment variable being set, then that is not possible. An environment variable is tied to the app and not to the site it is installed in which means the value is consistent across all sites.


Environment variables are tied to the app, gotcha.

Thank you for clarifying!