|
| 1 | +--- |
| 2 | +sidebar_position: 8 |
| 3 | +--- |
| 4 | + |
| 5 | +import Link from '../src/components/link/Link'; |
| 6 | + |
| 7 | +# Sensitive Data |
| 8 | + |
| 9 | +Sensitive data which is stored internally within our runtime memory or database is always encrypted with a secret key |
| 10 | +and with the strongest possible encryption algorithm. |
| 11 | + |
| 12 | +## Types of sensitive data handled |
| 13 | + |
| 14 | +1. Sensitive data in the cloud provider credentials data. |
| 15 | +2. Sensitive data in the service deployment requests. |
| 16 | +3. Sensitive data in the service access parameters. |
| 17 | + |
| 18 | +## Algorithm for encryption |
| 19 | + |
| 20 | +We can use any algorithm supported by Java as mentioned <Link name='here' url='https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html'/>. |
| 21 | +By default, the supported algorithm is **AES** with **CBC** mode. |
| 22 | +The default configuration can be overridden by updating the below three parameters. |
| 23 | + |
| 24 | +```shell |
| 25 | +xpanse.secrets.encryption.algorithm.name=AES |
| 26 | +xpanse.secrets.encryption.algorithm.mode=CBC |
| 27 | +xpanse.secrets.encryption.algorithm.padding=ISO10126Padding |
| 28 | +``` |
| 29 | + |
| 30 | +## Secret Key |
| 31 | + |
| 32 | +This is the most critical piece of the solution since this key is used to encrypt all secrets stored |
| 33 | +and hence can't be compromised. |
| 34 | + |
| 35 | +The below two properties must be used to provide the values of the secret key and initial vector |
| 36 | + |
| 37 | +```shell |
| 38 | +xpanse.secrets.encryption.secrete.key.value="" |
| 39 | + |
| 40 | +# If the selected algorithm supports/needs initial vector, then provide this value as well. |
| 41 | +xpanse.secrets.encryption.initial.vector="" |
| 42 | +``` |
| 43 | + |
| 44 | +:::info generating random secure keys |
| 45 | +There are many ways do it and one of the easy and straightforward ways is to use the online tool - https://acte.ltd/utils/randomkeygen. |
| 46 | + |
| 47 | +Here the 'Encryption key 256', must be used as the secret key and 'Basic 16' as the initial vector. |
| 48 | +::: |
| 49 | + |
| 50 | +## Secret Key in file |
| 51 | + |
| 52 | +The secret key can be provided either as a file or directly injected as a property. |
| 53 | +If a secret key file is provided, then the key in the file gets the **priority**. |
| 54 | +Application checks if the file is available in the provided path and if the file isn't empty. |
| 55 | +If both aren't true, then it tries to get the secret key from the configuration parameter directly. |
| 56 | + |
| 57 | +Location of the secret key can be provided by the below configuration parameter. |
| 58 | +This must be a fully qualified path that's accessible to xpanse runtime. |
| 59 | + |
| 60 | +```shell |
| 61 | +xpanse.secrets.encryption.secrete.key.file="" |
| 62 | +``` |
| 63 | + |
| 64 | +:::danger a valid secret key is mandatory |
| 65 | +If a valid secret key isn't found from both sources, then the application startup will fail. |
| 66 | +::: |
0 commit comments