Encrypting Store

Axel Faust edited this page Apr 14, 2018 · 5 revisions

Purpose

This store can be used as a facade to other stores in order to transparently encrypt / decrypt content stored in those backing stores. E.g. if this store is put in front of a file store, the contents on the file system will be encrypted / decrypted without the file store even being aware of it. That way the feature of encryption can be easily combined with any other store.

This store is only available for Alfresco 5.0+. The branch specific to Alfresco 4.2 does not contain it since the core APIs of Alfresco in this version do not provide the means to store encryption keys for content URLs in the database.

Relation with other stores

TODO

Supported configuration properties

This store can be selected by using the store type encryptingFacadeStore.

name type description default optional
backingStore ref the (physical) store that stores the encrypted content no
keyStorePath value the path to the Java keystore file holding an asymmetric master key (used for encrypting the symmetric keys that de-/encrypt content files) - this can take any path expression supported by Spring, e.g. classpath:path/to/keystore.jks no
keyStoreType value the type / format of the Java keystore file (dependent on JDK default - typically JKS) no
keyStoreProvider value the name of the provider capable of handling the Java keystore type / format yes
keyStorePassword value the password used to access the Java keystore file containing the asymmetric master key yes
masterKeyAlias value the alias referencing the asymmetric master key within the Java keystore file no
masterKeyPassword value the password used to access the asymmetric master key within the Java keystore file yes
keyAlgorithm value the symmetric key algorithm used to generate content encryption keys AES no
keyAlgorithmProvider value the name of the algorithm provider to be used for generating the content encryption keys yes
keySize value the size (in bits) to be used when generating content encryption keys 128 no
masterKeyStoreId value the static "masterKeyStore" ID to uniquely group all the content encryption keys generated by this store in the Alfresco database (especially relevant when multiple encrypting stores with different master keys / key algorithms are used) no
masterKeySize value (informational value) the size of the asymmetric master key in bits - this is primarily used to optimise encryption of the symmetric content encryption keys 4096 yes

Creating the master key store

TODO

Configuration example

# enable the addon
simpleContentStores.enabled=true

# define the names of stores to configure
# (multiple stores can be listed in comma-separated fashion)
simpleContentStores.customStores=myEncryptingStore,defaultTenantFileContentStore
# use the store as the global standard (instead of defaultTenantFileContentStore)
simpleContentStores.rootStore=myEncryptingStore

# define myEncryptingStore as an encrypting store
simpleContentStores.customStore.myEncryptingStore.type=encryptingFacadeStore
# store encrypted content in the default fileContentStore ("facade" the defaultTenantFileContentStore)
simpleContentStores.customStore.myEncryptingStore.ref.backingStore=defaultTenantFileContentStore
# load the master key from the key store file keystore.jks located e.g. in <tomcat>/shared/classes/keystore.jks
simpleContentStores.customStore.myEncryptingStore.value.keyStorePath=classpath:keystore.jks
# set the aliases / passwords necessary to access the master key inside the key store
simpleContentStores.customStore.myEncryptingStore.value.keyStorePassword=encrypt
simpleContentStores.customStore.myEncryptingStore.value.masterKeyAlias=encrypt
simpleContentStores.customStore.myEncryptingStore.value.masterKeyPassword=encrypt
# set a static ID to use when storing encryption keys to the database
simpleContentStores.customStore.myEncryptingStore.value.masterKeyStoreId=SimpleContentStores
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.