Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Content Encryption konfigurieren und Keystore einrichten

Expand
titletechnische Erklärung zur Verschlüsselung
  1. Derzeit sind 2 Encryption-Algorithmen verfügbar, CBC ist nicht empfohlen und wird entfernt:
    - AES/CBC/PKCS5PADDING
    - AES/GCM/NoPadding

    Die Unterschiede des Verfahrens sind in Wikipedia gut beschrieben, aber zur Verdeutlichung kann man sich die beiden Verfahren mal in der praktischen Anwendung auf das KGS-Logo ansehen:

    Image Removed

    AES/CBC

    Image Removed

    AES/GCM

Konfiguration des Encryption Service:
am Beispiel für das Repository CE (empfohlen wird GCM):
CE.encryptionservice.type=aes_cbc
CE.encryptionservice.aes_cbc.secret=alongsecretwithmorethan16bytes
oder:It makes sense to activate the encryption service exactly when the contents of the archive are to be encrypted. Examples of this would be if the content itself should not be read by administrators. For example, if PDF files are archived as documents in a cloud storage and a service provider has access to the data, the contents can be encrypted so that they cannot be read by humans.

Caution: The access key for decrypting the content must not be lost under any circumstances and it has to be stored securely so that authorized employees can access the access key at any time.

Requirements

There are no special requirements for using the encryption service. Only configuration of the service is necessary. The service can be configured individually for repositories. Only one included encryption algorithm is currently supported: AES/GCM/NoPadding

The encryption service can be enabled at any time. Any existing, unencrypted files are still accessible.

The encryption service can also be disabled at any time. Any existing encrypted files are still accessible, if the configured secret remains the same in the config, i.e. to disable the encryption and keep existing encrypted files accessible, only the encryptionservice.type has to be changed to none. The setting for the secret must remain the same.

Configuration

The encryption service is addressed via the repository (here using the CE repository as an example).

Code Block
CE.encryptionservice.type=aes_gcm

...


CE.encryptionservice.aes_gcm.secret=

...

<please use a key for encryption>


It makes sense that the secret is stored as an alias in the keystore, which points to a password in the KeystoreService. If no keystore is used, the secret must be entered here in plain text.

Note

Caution: Changing the secret is currently not possible, but can be implemented if necessary.

During encryption, a random vector is initially generated, which ensures that the same content is encrypted differently. This vector is placed in front of the encrypted data stream because it is needed again for decryption. Depending on the process, the size of the original file increases by up to 32 bytes, i.e. a different content length appears on the storage system.

Setting up the keystore

The keystore service should be set up to store the secrets (in the example for the CE repository):

Code Block
CE.keystoreservice.type        = pkcs12
CE.keystoreservice.pkcs12.name = ce-ks.p12


CE.keystoreservice.pkcs12.path = C://tiacore/
autodigit
/config//CE

Das Anlegen des Keystores kann durch unterschiedliche Methoden erfolgen:
- mit der tia core- Sap-HTTP Schnittstelle (ContentServer) wird dieser automatisch erzeugt (für die Ablage der Zertifikate)
- für die tia core- OSGi Schnittstelle muss der Keystore über ein separates Tool (autodigit
 


The keystore can be created in different ways:

  • Automatically with tia core Sap HTTP (ContentServer) (when storing certificates with keystore type pkcs12_storage)

  • Manually using a tool from kgs (tiacore-create-keystore.jar)

...

...

Filter by label (Content by label)
page
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@28a7b0
showSpacefalse
sortmodified
showSpacetypefalsepage
reversetruetype
labelskb-how-to-article
cqllabel = "kb-how-to-article" and type = "page" and space = "WIKI"labelskb-how-to-article
Page Properties
hiddentrue

Verwandte Vorgänge