Encrypting configuration properties - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

You can encrypt sensitive properties in the alfresco-global.properties configuration file using the following configurations:

Property Default Value Description
props.encryption.keySize 512 The key size.
props.encryption.encryptionAlgorithm RSA/ECB/PKCS1Padding The encryption algorithm.
props.encryption.legacyMode false Allows to generate the encrypted value in the old format (<=6.2).

Supported enryption algorithms and key sizes:

Algorithm Key Sizes
RSA/ECB/PKCS1Padding 512, 1024, 2048
RSA/ECB/OAEPWithMD5AndMGF1Padding 512, 1024, 2048
RSA/ECB/OAEPWithSHA-224AndMGF1Padding 1024, 2048
RSA/ECB/OAEPWithSHA-256AndMGF1Padding 1024, 2048
RSA/ECB/OAEPWithSHA-384AndMGF1Padding 1024, 2048
RSA/ECB/OAEPWithSHA-512AndMGF1Padding 2048
AES/CBC/PKCS5Padding 128, 192, 256
AES/ECB/PKCS5Padding 128, 192, 256
DESede/CBC/PKCS5Padding 128
DESede/ECB/PKCS5Padding 128

The generated key(s) need to be placed in: <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension/enterprise.

  1. Run the Alfresco Encrypted Properties Management Tool.
    1. Navigate to <ALFRESCO_HOME>/bin directory.
    2. Locate the Alfresco Encrypted Properties Management Tool, alfresco-spring-encryptor.jar.
    3. Run the executable jar file:
      java -jar alfresco-spring-encryptor.jar
      The following message is displayed in the command line:
      The command line with a message informing on possible further actions to perform, such as initkey, encrypt, or validate
  2. Generate the keys using the initkey function.
    Note: If using the RSA algorithm, the public and private key pair is stored in the Enterprise directory. If using the AES or DESede algorithm, a single key is generated.
    • If using the default settings, type the following command to generate the keys:
      java -jar alfresco-spring-encryptor.jar initkey /usr/local/tomcat/shared/classes
    • If using the AES algorithm, type the following command to generate the keys:
      java -Dprops.encryption.keySize=256 -Dprops.encryption.encryptionAlgorithm=AES/CBC/PKCS5Padding -jar alfresco-spring-encryptor.jar initkey /usr/local/tomcat/shared/classes
    Depending on the selected method of generating keys, one of the following results occurs:
    Method Result
    Default settings

    The following message is displayed in the command line:

    The command line with the directory where the public and private keys were generated to

    The following keys are generated in the <ALFRESCO_HOME>/tmcat/shared/classes/alfresco/extension/enterprise directory:

    • public key: alfrescoSpringKey.pub
    • private key: alfrescoSpringKey.pri
    AES

    The following message is displayed in the command line:

    The command line with a command to encrypt alfresco string, secret key created file and a message informing that key files have been generated and prompting to set permissions on the private key to keep it protected

    The encryption key alfrescoSpringKey.key is generated in the <ALFRESCO_HOME>/tmcat/shared/classes/alfresco/extension/enterprise directory.

    Note: The private key file should be secured with the operating system permissions so that it can be accessed only by the Content Services process.
  3. Generate the encrypted string for your password or value using the encrypt function and doing one of the following:
    Note: In the following commands, remember to replace <password> with the actual password that you want to encrypt.
    • If using the default settings, type the following command to generate the encrypted string:
      java -jar alfresco-spring-encryptor.jar encrypt /usr/local/tomcat/shared/classes <password>
    • If using the legacy mode, type the following command to generate the encrypted string:
      java -Dprops.encryption.legacyMode=true -jar alfresco-spring-encryptor.jar encrypt /usr/local/tomcat/shared/classes <password>
    • If using the AES algorithm, type the following command to generate the encrypted string:
      java -Dprops.encryption.keySize=256 -Dprops.encryption.encryptionAlgorithm=AES/CBC/PKCS5Padding -jar alfresco-spring-encryptor.jar encrypt /usr/local/tomcat/shared/classes <password>
    Depending on the selected method of generating the encrypted string, one of the following results occurs:
    Method Result
    Default settings

    The following message is displayed in the command line:

    The command line with a command to encrypt string, the key size, key algorithm, and encryption algorithm
    Legacy mode

    The following message is displayed in the command line:

    The command line with a command to encrypt alfresco string, the message informing that legacy mode is enabled, using default encryption, with the key size, key algorithm, and encryption algorithm
    Note: In the legacy mode, the encryption is always generated using RSA/ECB/PKCS1Padding (512).
    AES

    The following message is displayed in the command line:

    The command line with a command to encrypt alfresco string, the message informing that legacy mode is enabled, using default encryption, with the key size, key algorithm, and encryption algorithm
  4. Validate the encrypted value obtained in step 3 by running the following validate function.
    Note: Mode, encryption algorithm, or key size used to encrypt do not need to be specified as they are detected automatically.
    java -jar alfresco-spring-encryptor.jar validate /usr/local/tomcat/shared/classes <encrypted value> <password>
    Note: In the above command, remember to replace <encrypted value> with encrypted string value obtained in step 3.
  5. Add the encrypted password to <ALFRESCO_HOME>/tomcat/shared/classes/alfresco-encrypted.properties file by entering the following command:
    db.password.enc=ENC(<encrypted password>)

    For example:

    db.password.enc=ENC(QUVTL0NCQy9QS0NTNVBhZGRpbmc7MjU2O3JTdRMq9sgLhX2BwSIo6Sua94maf/pFMEQrNJg9od+k)
  6. Set the value of the db.password property in the alfresco-global.properties file to point to the db.password.enc property in the alfresco-encrypted.properties file by entering the following command:
    db.password=${db.password.enc}