From 9b3c38b3ed886f06cd945a3dfd34aa7d8f8817c1 Mon Sep 17 00:00:00 2001
From: Michael Schurter <mschurter@hashicorp.com>
Date: Tue, 24 Oct 2023 15:48:15 -0700
Subject: [PATCH] docs: deprecate rsadecrypt (#18856)

`rsadecrypt` uses PKCS #1 v1.5 padding which has multiple known
weaknesses. While it is possible to use safely in Nomad, we should not
encourage our users to use bad cryptographic primitives.

If users want to decrypt secrets in jobspecs we should choose a
cryptographic primitive designed for that purpose. `rsadecrypt` was
inherited from Terraform which only implemented it to support decrypting
Window's passwords on AWS EC2 instances:

https://github.com/hashicorp/terraform/pull/16647

This is not something that should ever be done in a jobspec, therefore
there's no reason for Nomad to support this HCL2 function.
---
 .../hcl2/functions/crypto/rsadecrypt.mdx             | 12 ++++++++++++
 website/data/docs-nav-data.json                      |  7 ++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/job-specification/hcl2/functions/crypto/rsadecrypt.mdx b/website/content/docs/job-specification/hcl2/functions/crypto/rsadecrypt.mdx
index 24e760c92..6f964b533 100644
--- a/website/content/docs/job-specification/hcl2/functions/crypto/rsadecrypt.mdx
+++ b/website/content/docs/job-specification/hcl2/functions/crypto/rsadecrypt.mdx
@@ -6,6 +6,18 @@ description: The rsadecrypt function decrypts an RSA-encrypted message.
 
 # `rsadecrypt` Function
 
+<Note title="Deprecated">
+This function is deprecated and may be removed in the future.
+</Note>
+
+<Warning>
+While it is possible to use safely, it encourages use of cryptographic
+primitives with <a href="https://en.wikipedia.org/wiki/PKCS_1#Attacks">known
+weaknesses</a>. <a href="/nomad/docs/concepts/variables">Nomad Variables</a>
+and <a href="/nomad/docs/integrations/vault-integration">HashiCorp Vault</a> are
+the recommended ways to provide secrets to workloads.
+</Warning>
+
 `rsadecrypt` decrypts an RSA-encrypted ciphertext, returning the corresponding
 cleartext.
 
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index c93c0a340..637e06560 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -1316,7 +1316,12 @@
                   },
                   {
                     "title": "rsadecrypt",
-                    "path": "job-specification/hcl2/functions/crypto/rsadecrypt"
+                    "path": "job-specification/hcl2/functions/crypto/rsadecrypt",
+                    "badge": {
+                      "text": "Deprecated",
+                      "type": "outlined",
+                      "color": "neutral"
+                    }
                   },
                   {
                     "title": "sha1",