ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pratyush Giri <hacker.kids....@gmail.com>
Subject Re: Ofbiz Encryption Model and Key Rotation
Date Wed, 18 Mar 2020 18:12:29 GMT
Hi Jacques,


Forst, I thought I have posted it to the User ML, and if it reached
somewhere else, I apologize.

I have a few entities which I have created for a plugin and these entities
have columns in the entities where encrypt="true".

With this, I have tested that when I save some data to these fields, they
are encrypted (used a select in SQL to verify).  In my seed data, I have
also added a Keystore entry with a key and a key text. I do not do anything
fancy, just set the entity attributed and then save them.


This means that Ofbiz is using some keys to encrypt the columns. Then when
I went into my entity reference and checked the Key Store entries, along
with my key I see a bunch of other keys and key text. Please note that I
did a clean all followed by a loadProdData ( no demo data in my instance).

Questions:
1. Where are these other keys coming from?
2. Which key was used to encrypt these columns?
3. For security reasons, I would like to rotate keys (say annually). How do
I do that? I see EntityDataServices has these following 2 services. is that
what needs to be done?




<service name="reencryptPrivateKeys" engine="java" auth="true"
transaction-timeout="14400"
    location="org.apache.ofbiz.entityext.data.EntityDataServices"
invoke="reencryptPrivateKeys">
    <description>Re-encrypt the private keys, encrypted in
EntityKeyStore with oldKey, using the newKey.</description>
    <attribute name="oldKey" type="String" mode="IN" optional="true"/>
    <attribute name="newKey" type="String" mode="IN" optional="true"/>
</service>

<service name="reencryptFields" engine="java" auth="true"
transaction-timeout="14400"
        location="org.apache.ofbiz.entityext.data.EntityDataServices"
invoke="reencryptFields">
    <description>Re-encrypt all the encrypted fields in the data
model.</description>
    <attribute name="groupName" type="String" mode="IN"
optional="true" default-value="org.apache.ofbiz"/>
</service>


Overall, it would be a good idea to understand these and looking for if
someone has the knowledge or understanding around these.

Any suggestions are greatly appreciated.

Best,
Pratyush




On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

> Hi Pratyush,
>
>
> Your message has been moderated.
>
> Please subscribe to the user ML for such questions and then use your email
> client.
> See why here http://ofbiz.apache.org/mailing-lists.html.
>
> You will get a better support, people can answer you on the ML.
> The wider the audience the better the answers you might get.
>
> Also it's more work for moderators who have to accept your messages as
> long as you have not subscribed.
> I'll personally no longer accept them (other moderators still could).
>
> Thanks
>
> This said, in what context do you use encryption keys? Can you refer to a
> code section or something?
>
> Jacques
>
> Le 18/03/2020 à 07:30, pratyush Giri a écrit :
> > Hi All,
> >
> > I am looking to understand on my production system
> >
> > 1. How and where I can configure encryption keys.
> > 2. If I need to rotate the encryption keys, what is the process to do so?
> >
> >
> > Thank you in advance.
> >
> > Best,
> > Pratyush
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message