Property encryption¶
The Onegini Extension Engine uses environment variables in the docker compose file for its configuration. All (sensitive) values can be encrypted. This topic guide will guide you through the actions related to property encryption.
Configure the property encryption password¶
Property | Description |
---|---|
PROPERTY_ENCRYPTION_PASSWORD | The password that is used to encrypt and decrypt property values. |
Note: It might sound insecure to store the property encryption password in the same docker compose file. As an alternative you might also set the environment variable on the docker host before you run the docker compose file and unset it after the docker is started.
Encrypt property values¶
The open source library Jasypt
is used for this. Onegini uses a strong encryption algorithm, which is not present in the standard JRE security provider
implementation. For this reason we use the BouncyCastle
security provider implementation.
Install the Jasypt library¶
You can download Jasypt
from the Jasypt website.
Untar the library into a directory of your choice, e.g. the /opt
directory.
Install a custom Java Cryptographic Provider¶
BouncyCastle
is necessary for encrypting properties since the algorithm that is used is not included in the standard Java cryptographic provider.
Download the bouncy castle jar.
Move it to the lib
folder inside the extracted Jasypt archive.
Note: Including the Java Cryptographic Extensions is required in order to encrypt properties. Read this blog post for instructions on installing the proper JCE for your Java version.
Encrypt property values¶
It is possible to encrypt properties such as passwords. The steps below describe how to do this. All properties are encryptable. Navigate to the directory where the Jasypt library is installed.
cd <JASYPT_PATH>/jasypt-1.9.1/bin/
Generate a master password either using a password generator or the following command:
openssl rand -hex 32
Next, execute the following command:
./encrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_ENCRYPT>'
Note: The master password is needed when starting / stopping the instances of the Onegini Extension Engine! See: configure the property encryption password.
If the password or the input contain a single quote you will need to provide each separate single quote with the following sequence: "'"
When the above command is executed the encrypted property value is printed to the screen. The last step is to configure the encrypted value as the actual value
in the docker compose file. The value has to be surrounded by ENC(<ENCRYPTED_VALUE>)
. Below is an example of an encrypted property value:
- SPRING_SECURITY_USER_PASSWORD=ENC(6sCtMDYFi5MhTfRk9x6tzVuc/TouSqLnTsajxGdOq/4=)
You can verify the encryption by running:
./decrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_DECRYPT>'