Hi Pratyush,

If you look at 
https://demo-trunk.ofbiz.apache.org/webtools/control/entity/find/EntityKeyStore

you will see the Key Names. Those are the keys you are looking for. The Key 
Texts are the field values encrypted.

Yes, OOTB, AES is used with a 256-bit key length. By default OFBiz uses Shiro 
for a long time now (there were older methods now deprecated)

HTH

Jacques

Le 23/03/2020 à 22:03, pratyush Giri a écrit :
Hi Jacques,

Apologies for sending a direct email.

Follow up question:

When I start ofbiz, I see a few keys in Entity Store.

How do I know which key was used to encrypt OOTB so that I can use my key to 
reencrypt the provate leys and data fields?

I am assuming OOTB, AES is used with a 256-bit key length. Can you kindly 
confirm?

Best,
Pratyush


On 2020/03/21 08:32:51, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote:
Hi Pratyush,

Inline...

Le 18/03/2020 à 19:12, pratyush Giri a écrit :
Hi Jacques,


Forst, I thought I have posted it to the User ML, and if it reached somewhere 
else, I apologize.
Please read my email. It's not that you did not post to the user ML, but that 
you are not subscribed.

This time you sent a message directly to me, please don't.
Again: SUBSCRIBE to the user ML as explained below, and more in the provided 
link.


I have a few entities which I have created for a plugin and these entities have columns 
in the entities where encrypt="true".

With this, I have tested that when I save some data to these fields, they are 
encrypted (used a select in SQL to verify).  In my seed data, I have
also added a Keystore entry with a key and a key text. I do not do anything 
fancy, just set the entity attributed and then save them.


This means that Ofbiz is using some keys to encrypt the columns. Then when I 
went into my entity reference and checked the Key Store entries, along
with my key I see a bunch of other keys and key text. Please note that I did a 
clean all followed by a loadProdData ( no demo data in my instance).

Questions:
1. Where are these other keys coming from?
OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The 
"other" keys are coming from there.


2. Which key was used to encrypt these columns?
Have a look at EntityCrypto class to get more information about fields 
encryption.


3. For security reasons, I would like to rotate keys (say annually). How do I 
do that? I see EntityDataServices has these following 2 services. is
that what needs to be done?
<service name="reencryptPrivateKeys" engine="java" auth="true" 
transaction-timeout="14400"
location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted in EntityKeyStore with oldKey, 
using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute name="newKey" 
type="String" mode="IN" optional="true"/>
</service> <service name="reencryptFields" engine="java" auth="true" 
transaction-timeout="14400"
location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the 
data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" 
default-value="org.apache.ofbiz"/> </service>

Overall, it would be a good idea to understand these and looking for if someone 
has the knowledge or understanding around these.

Any suggestions are greatly appreciated.

Best,
Pratyush

You may indeed use these (not used OOTB) services to rotate keys

Jacques



On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <jacques.le.r...@les7arts.com 
<mailto:jacques.le.r...@les7arts.com>> wrote:

     Hi Pratyush,


     Your message has been moderated.

     Please subscribe to the user ML for such questions and then use your email 
client.
     See why here http://ofbiz.apache.org/mailing-lists.html.

     You will get a better support, people can answer you on the ML.
     The wider the audience the better the answers you might get.

     Also it's more work for moderators who have to accept your messages as 
long as you have not subscribed.
     I'll personally no longer accept them (other moderators still could).

     Thanks

     This said, in what context do you use encryption keys? Can you refer to a 
code section or something?

     Jacques

     Le 18/03/2020 à 07:30, pratyush Giri a écrit :
     > Hi All,
     >
     > I am looking to understand on my production system
     >
     > 1. How and where I can configure encryption keys.
     > 2. If I need to rotate the encryption keys, what is the process to do so?
     >
     >
     > Thank you in advance.
     >
     > Best,
     > Pratyush

Reply via email to