-
Notifications
You must be signed in to change notification settings - Fork 16
Encryption
With CORB 2.1.0 and its PrivateKeyDecrypter class, encryption support is now possible without the use of any external jars. CORB 2.1.0 also supports encryption using the popular Jasypt tool when the Jasypt jar and properties file are provided.
Using encryption with CORB is a 3 step process.
- After selecting which tool you will use, generate a keyset which includes a public and private key.
- The information must be encrypted using the keys previously generated.
- Finally, CORB properties must be set to indicate the decrypter it should use and, except when using Jasypt, where the keys are located.
The process for generating keys depends on which encryption provider the user chooses. CORB's PrivateKeyDecrypter class supports keys and encryption generated using either Java Crypt, RSA keys or ssh-keygen. CORB's JasyptDecrypter class supports keys and encryption generated using Jasypt. Configuration of CORB to use encrypted information is primarily the same regardless of which encryption solution you choose.
Regardless of which approach you take, any strings that are ultimately encrypted can be designated as such in CORB's properties using the 'ENC(string)' designator. However, the use of the designator is optional, and CORB can determine whether the XCC-CONNECTION-URI, XCC-USERNAME, XCC-PASSWORD, XCC-HOSTNAME, XCC-PORT or XCC-DBNAME is encrypted with or without the designator. CORB accomplishes this by first trying to decrypt the properties, but if an exception is thrown it will then use them as given.
The following sections will detail the differences between using CORB’s PrivateKeyDecrypter class and its JasyptDecrypter class. Additionally, the section for using PrivateKeyDecrypter will detail how keys can be generated and encryption provided using the three different platforms.
As mentioned, Java Crypt, RSA keys and ssh-keygen are all supported using the PrivateKeyDecrypter class. Once encryption has been accomplished, the following properties need to be added to the CORB property file:
DECRYPTER=com.marklogic.developer.corb.PrivateKeyDecrypter
PRIVATE-KEY-FILE=/path/on/classpath/to/privateKey.key
PRIVATE-KEY-ALGORITHM=(optional, the default value is RSA for PrivateKeyDecrypter)The steps for using each to generate keys and encrypt are as follows:
-
java -cp marklogic-xcc-11.1.0.jar:marklogic-corb-2.5.5.jar com.marklogic.developer.corb.PrivateKeyDecrypter gen-keys /path/to/private.key /path/to/public.key RSA 1024(Note: if not specified, default algorithm: RSA, default key-length: 1024) -
java -cp marklogic-xcc-11.1.0.jar:marklogic-corb-2.5.5.jar com.marklogic.developer.corb.PrivateKeyDecrypter encrypt /path/to/public.key clearText RSA(Note: if not specified, default algorithm: RSA)
-
openssl genrsa -out private.pem 1024(generate private key in PEM format) -
openssl pkcs8 -topk8 -nocrypt -in private.pem -out private.pkcs8.key(create PRIVATE-KEY-FILE in PKCS8 std for java) -
openssl rsa -in private.pem -pubout > public.key(extract public key) -
echo "uri or password" | openssl rsautl -encrypt -pubin -inkey public.key | base64(encrypt URI or password).
-
ssh-keygen(ex:key as id_rsa after selecting a passphrase) -
openssl pkcs8 -topk8 -nocrypt -in id_rsa -out id_rsa.pkcs8.key(asks for passphrase) -
openssl rsa -in id_rsa -pubout > public.key(asks for passphrase) echo "password or uri" | openssl rsautl -encrypt -pubin -inkey public.key | base64
The steps to use Jasypt for key generation and encryption requires that the Jasypt distribution be on your classpath. You will also need a jasypt.properties file on your classpath that includes:
-
jasypt.algorithm=PBEWithMD5AndTripleDES(or PBEWithMD5AndDES) jasypt.password=passphraseForJasyptToUse
With the properties file and Jasypt distribution on the classpath, encryption can now be accomplished using the following command:
>jasypt-1.9.2/bin/encrypt.sh input="uri or password" password="passphraseForJasyptToUse " algorithm="algorithm" (ex: PBEWithMD5AndTripleDES or PBEWithMD5AndDES)
CORB can then be configured to consume Jasypt encryption by setting the following property:
DECRYPTER=com.marklogic.developer.corb.JasyptDecrypter