Hi Jacques, Apologies for sending a direct email.
Follow up question: When I start ofbiz, I see a few keys in Entity Store. How do I know which key was used to encrypt OOTB so that I can use my key to reencrypt the provate leys and data fields? I am assuming OOTB, AES is used with a 256-bit key length. Can you kindly confirm? Best, Pratyush On 2020/03/21 08:32:51, Jacques Le Roux <[email protected]> wrote: > Hi Pratyush, > > Inline... > > Le 18/03/2020 à 19:12, pratyush Giri a écrit : > > Hi Jacques, > > > > > > Forst, I thought I have posted it to the User ML, and if it reached > > somewhere else, I apologize. > > Please read my email. It's not that you did not post to the user ML, but that > you are not subscribed. > > This time you sent a message directly to me, please don't. > Again: SUBSCRIBE to the user ML as explained below, and more in the provided > link. > > > > > > I have a few entities which I have created for a plugin and these entities > > have columns in the entities where encrypt="true". > > > > With this, I have tested that when I save some data to these fields, they > > are encrypted (used a select in SQL to verify). In my seed data, I have > > also added a Keystore entry with a key and a key text. I do not do anything > > fancy, just set the entity attributed and then save them. > > > > > > This means that Ofbiz is using some keys to encrypt the columns. Then when > > I went into my entity reference and checked the Key Store entries, along > > with my key I see a bunch of other keys and key text. Please note that I > > did a clean all followed by a loadProdData ( no demo data in my instance). > > > > Questions: > > 1. Where are these other keys coming from? > > OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The > "other" keys are coming from there. > > > > 2. Which key was used to encrypt these columns? > > Have a look at EntityCrypto class to get more information about fields > encryption. > > > > 3. For security reasons, I would like to rotate keys (say annually). How do > > I do that? I see EntityDataServices has these following 2 services. is > > that what needs to be done? > > <service name="reencryptPrivateKeys" engine="java" auth="true" > > transaction-timeout="14400" > > location="org.apache.ofbiz.entityext.data.EntityDataServices" > > invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, > > encrypted in EntityKeyStore with oldKey, using the newKey.</description> > > <attribute name="oldKey" type="String" mode="IN" optional="true"/> > > <attribute name="newKey" type="String" mode="IN" optional="true"/> > > </service> <service name="reencryptFields" engine="java" auth="true" > > transaction-timeout="14400" > > location="org.apache.ofbiz.entityext.data.EntityDataServices" > > invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields > > in the data model.</description> <attribute name="groupName" type="String" > > mode="IN" optional="true" default-value="org.apache.ofbiz"/> </service> > > > > Overall, it would be a good idea to understand these and looking for if > > someone has the knowledge or understanding around these. > > > > Any suggestions are greatly appreciated. > > > > Best, > > Pratyush > > > You may indeed use these (not used OOTB) services to rotate keys > > Jacques > > > > > > > > On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hi Pratyush, > > > > > > Your message has been moderated. > > > > Please subscribe to the user ML for such questions and then use your > > email client. > > See why here http://ofbiz.apache.org/mailing-lists.html. > > > > You will get a better support, people can answer you on the ML. > > The wider the audience the better the answers you might get. > > > > Also it's more work for moderators who have to accept your messages as > > long as you have not subscribed. > > I'll personally no longer accept them (other moderators still could). > > > > Thanks > > > > This said, in what context do you use encryption keys? Can you refer to > > a code section or something? > > > > Jacques > > > > Le 18/03/2020 à 07:30, pratyush Giri a écrit : > > > Hi All, > > > > > > I am looking to understand on my production system > > > > > > 1. How and where I can configure encryption keys. > > > 2. If I need to rotate the encryption keys, what is the process to do > > so? > > > > > > > > > Thank you in advance. > > > > > > Best, > > > Pratyush > > >
