...

Caution: The access key for decrypting the content may must not be lost under any circumstances and it must has to be stored securely so that authorized employees can access the access key at any time.

...

There are no special requirements for using the encryption service. Only configuration of the service is necessary. The service can be configured individually for repositories. When encryption is enabled, documents that are already unencrypted can no longer be found in this repository. Only one included encryption algorithm is currently supported: AES/GCM/NoPadding

The encryption service can be enabled at any time. Any existing, unencrypted files are still accessible.

The encryption service can also be disabled at any time. Any existing encrypted files are still accessible, if the configured secret remains the same in the config, i.e. to disable the encryption and keep existing encrypted files accessible, only the encryptionservice.type has to be changed to none. The setting for the secret must remain the same.

Configuration

The encryption service is addressed via the repository (here using the CE repository as an example).

CE.encryptionservice.type=aes_gcm

...

CE.encryptionservice.aes_gcm.secret=<please use a key for encryption>

It makes sense that the secret is stored as an alias in the keystore, which points to a password in the KeystoreService. If no keystore is used, the secret must be entered here in plain text.

During encryption, a random vector is initially generated, which ensures that the same content is encrypted differently. This vector is placed in front of the encrypted data stream because it is needed again for decryption. Depending on the process, the size of the original file increases by up to 32 bytes, i.e. a different content length appears on the storage system.

...