This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 8ead5fcf073a8bb426dc3e4a66431e32a7045dc6 Author: Benoit Tellier <[email protected]> AuthorDate: Fri Mar 26 15:25:19 2021 +0700 JAMES-3524 Document blobStore encryption --- .../pages/distributed/configure/blobstore.adoc | 27 ++++++++++++++++ src/site/xdoc/server/config-blobstore.xml | 36 +++++++++++++++++++++- 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/docs/modules/servers/pages/distributed/configure/blobstore.adoc b/docs/modules/servers/pages/distributed/configure/blobstore.adoc index 139c961..c256b13 100644 --- a/docs/modules/servers/pages/distributed/configure/blobstore.adoc +++ b/docs/modules/servers/pages/distributed/configure/blobstore.adoc @@ -35,6 +35,33 @@ Consequently, all the requested deletions will not be performed, meaning that bl NOTE: If you are upgrading from James 3.5 or older, the deduplication was enabled. +=== Encryption choice + +Data can be optionally encrypted with a symmetric key using AES before being stored in the blobStore. As many user relies +on third party for object storage, a compromised third party will not escalate to a data disclosure. Of course, a +performance price have to be paid, as encryption takes resources. + +*encryption.aes.enable* : Optional boolean, defaults to false. + +If AES encryption is enabled, then the following properties MUST be present: + + - *encryption.aes.password* : String + - *encryption.aes.salt* : Hexadecimal string + +WARNING: Once chosen this choice can not be reverted, all the data is either clear or encrypted. Mixed encryption +is not supported. + +Here is an example of how you can generate the above values (be mindful to customize the byte lengths in order to add +enough entropy. + +.... +# Password generation +openssl rand -base64 64 + +# Salt generation +generate salt with : openssl rand -hex 16 +.... + === Cassandra BlobStore Cache A Cassandra cache can be enabled to reduce latency when reading small blobs frequently. diff --git a/src/site/xdoc/server/config-blobstore.xml b/src/site/xdoc/server/config-blobstore.xml index 92de092..15ae7b2 100644 --- a/src/site/xdoc/server/config-blobstore.xml +++ b/src/site/xdoc/server/config-blobstore.xml @@ -85,7 +85,41 @@ Maximum size of stored objects expressed in bytes.</dd> </dl> </subsection> - + <subsection name="Encryption choice"> + <p> + Data can be optionally encrypted with a symmetric key using AES before being stored in the blobStore. As many user relies + on third party for object storage, a compromised third party will not escalate to a data disclosure. Of course, a + performance price have to be paid, as encryption takes resources. + </p> + <dl> + <dt><strong>encryption.aes.enable</strong></dt> + <dd>Optional boolean, defaults to false</dd> + </dl> + <p>If AES encryption is enabled, then the following properties MUST be present:</p> + <dl> + <dt><strong>encryption.aes.password</strong></dt> + <dd>String</dd> + </dl> + <dl> + <dt><strong>encryption.aes.salt</strong></dt> + <dd>Hexadecimal string.</dd> + </dl> + <p><b>WARNING:</b> Once chosen this choice can not be reverted, all the data is either clear or encrypted. Mixed encryption + is not supported.</p> + <p> + Here is an example of how you can generate the above values (be mindful to customize the byte lengths in order to add + enough entropy. + </p> + <pre> + <code> +# Password generation +openssl rand -base64 64 + +# Salt generation +generate salt with : openssl rand -hex 16 + </code> + </pre> + </subsection> <subsection name="ObjectStorage BlobStore Buckets Configuration"> <dl> <dt><strong>objectstorage.bucketPrefix</strong></dt> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
