[syncope] branch 2_0_X updated: Warning about short secretKey values for AES

Wed, 03 Apr 2019 03:54:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_0_X by this push:
     new ead58ee  Warning about short secretKey values for AES
ead58ee is described below

commit ead58eec1055a7f29b5db6bb6ac39ab4e5806323
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Wed Apr 3 12:53:11 2019 +0200

    Warning about short secretKey values for AES
---
 .../systemadministration/configurationparameters.adoc              | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
index 2afc18f..8867e05 100644
--- 
a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
+++ 
b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
@@ -25,6 +25,13 @@ barely invoking the REST layer through 
http://curl.haxx.se/[curl^]:
 * `password.cipher.algorithm` - which cipher algorithm shall be used for 
encrypting password values; supported 
 algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, 
`S-SHA-256`, `S-SHA-512` and `BCRYPT`;
 salting options are available in the `security.properties` file;
+[WARNING]
+The value of the `secretKey` property in the `security.properties` file is 
used for AES-based encryption / decription.
+Besides password values, this is also used whenever reversible encryption is 
needed, throughout the whole system. +
+When the `secretKey` value has length less than 16, it is right-padded by 
random characters during startup, to reach
+such mininum value. +
+It is *strongly* recommended to provide a value long at least 16 characters, 
in order to avoid unexpected behaviors
+at runtime, expecially with high-availability. 
 * `jwt.lifetime.minutes` - validity of 
https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] values used for
 <<rest-authentication-and-authorization,authentication>> (in minutes);
 * `notificationjob.cronExpression` -

Reply via email to