Hi Pratyush,

If you look at 

you will see the Key Names. Those are the keys you are looking for. The Key 
Texts are the field values encrypted.

Yes, OOTB, AES is used with a 256-bit key length. By default OFBiz uses Shiro 
for a long time now (there were older methods now deprecated)



Le 23/03/2020 à 22:03, pratyush Giri a écrit :
Hi Jacques,

Apologies for sending a direct email.

Follow up question:

When I start ofbiz, I see a few keys in Entity Store.

How do I know which key was used to encrypt OOTB so that I can use my key to 
reencrypt the provate leys and data fields?

I am assuming OOTB, AES is used with a 256-bit key length. Can you kindly 


On 2020/03/21 08:32:51, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote:
Hi Pratyush,


Le 18/03/2020 à 19:12, pratyush Giri a écrit :
Hi Jacques,

Forst, I thought I have posted it to the User ML, and if it reached somewhere 
else, I apologize.
Please read my email. It's not that you did not post to the user ML, but that 
you are not subscribed.

This time you sent a message directly to me, please don't.
Again: SUBSCRIBE to the user ML as explained below, and more in the provided 

I have a few entities which I have created for a plugin and these entities have columns 
in the entities where encrypt="true".

With this, I have tested that when I save some data to these fields, they are 
encrypted (used a select in SQL to verify).  In my seed data, I have
also added a Keystore entry with a key and a key text. I do not do anything 
fancy, just set the entity attributed and then save them.

This means that Ofbiz is using some keys to encrypt the columns. Then when I 
went into my entity reference and checked the Key Store entries, along
with my key I see a bunch of other keys and key text. Please note that I did a 
clean all followed by a loadProdData ( no demo data in my instance).

1. Where are these other keys coming from?
OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The 
"other" keys are coming from there.

2. Which key was used to encrypt these columns?
Have a look at EntityCrypto class to get more information about fields 

3. For security reasons, I would like to rotate keys (say annually). How do I 
do that? I see EntityDataServices has these following 2 services. is
that what needs to be done?
<service name="reencryptPrivateKeys" engine="java" auth="true" 
location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted in EntityKeyStore with oldKey, 
using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute name="newKey" 
type="String" mode="IN" optional="true"/>
</service> <service name="reencryptFields" engine="java" auth="true" 
location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the 
data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" 
default-value="org.apache.ofbiz"/> </service>

Overall, it would be a good idea to understand these and looking for if someone 
has the knowledge or understanding around these.

Any suggestions are greatly appreciated.


You may indeed use these (not used OOTB) services to rotate keys


On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <jacques.le.r...@les7arts.com 
<mailto:jacques.le.r...@les7arts.com>> wrote:

     Hi Pratyush,

     Your message has been moderated.

     Please subscribe to the user ML for such questions and then use your email 
     See why here http://ofbiz.apache.org/mailing-lists.html.

     You will get a better support, people can answer you on the ML.
     The wider the audience the better the answers you might get.

     Also it's more work for moderators who have to accept your messages as 
long as you have not subscribed.
     I'll personally no longer accept them (other moderators still could).


     This said, in what context do you use encryption keys? Can you refer to a 
code section or something?


     Le 18/03/2020 à 07:30, pratyush Giri a écrit :
     > Hi All,
     > I am looking to understand on my production system
     > 1. How and where I can configure encryption keys.
     > 2. If I need to rotate the encryption keys, what is the process to do so?
     > Thank you in advance.
     > Best,
     > Pratyush

Reply via email to