Node settings values encryption

What is node settings encryption?

In conf/messaging-server/platform.properties, you may have values that should be encrypted. For example:

  • ssl.key.password=myP@ssword : the password used to open the keystore used to configure TLS http connections

In this case, encrypt-value tool can be used to generate encrypted values, used in messaging-server/platform.properties. For example:

  • ssl.key.password=myP@ssword can be converted to ssl.key.password=${encrypted:/Jny9NNfptGitSbr0yX+TvkRlHe5rUchC8+cvWnJUxY=}



Encryption key file usage

The node settings encryption mechanism uses the encryption key file to encrypt/decrypt data. The key used to encrypt data must be available to decrypt data on node startup, otherwise encrypted property values won't be decrypted.

Algorithm used: AES / CBC / PKCS5Padding, using the 128bits length key and a 128bits length initialization vector (randomly generated).

Reserved word

${encrypted:...} prefix is a reserved word. You should not use this prefix in an other context than platform.properties value encryption.

How to generate encryption key

A tool is provided to generate the encryption key. <node dir>/bin/generate-encryption-key.bat (Windows) or <node dir>/bin/generate-encryption-key.sh (Linux).

Usage
 generate-encryption-key(.bat)(.sh)

How to encrypt values in platform.properties?

Encrypt a value

A tool is provided to convert clear to encrypted value: <node dir>/bin/encrypt-value.bat (Windows) or <node dir>/bin/encrypt-value.sh (Linux).

Usage
 encrypt-value(.bat)(.sh)

Encryption key is mandatory to encrypt values :

  • if there is no encryption key, you can't encrypt value, the script stops the process.

The script asks to type a value and generates as output an encrypted content:

Encrypted value format
 ${encrypted:+Mpt1CFBV9rgPKNXzLnzowxsoGudW9yieTfeHG4WnP4=}

Usage in platform.properties

In messaging-server/platform.properties, replace value with previously generated data. Example:

  • from
Platform.properties: not encrypted data
(...)
ssl.key.password=myP@ssword
(...)
  • to
Platform.properties: encrypted data
(...)
ssl.key.password=${encrypted:+Mpt1CFBV9rgPKNXzLnzowxsoGudW9yieTfeHG4WnP4=}
(...)

Limitations

  • no tool is provided to decrypt encrypted data
  • do not compose encrypted/non encrypted:
Incorrect usage
(...)
my.crypted.value=/here/a/value/${encrypted:Wv4/ocYdjeM0e1eKKTyq5Sr3fYYYJWQAGGhZ/lVvgrA=}
(...)



Related Links