Encryption of Global Properties Richard McKnight Principal Consultant at Alfresco

What we will cover Why encrypt global properties? A look the technical implementation details. How to configure it. Where to get it.

Why Encrypt The biggest threat to data security comes from within Many organizations have policies to limit access to critical data and content sources

How Do Encrypted Properties Protect Data Limit access to back end components. Remember that the Alfresco repository has the following components Metadata which lives in the Database Content which lives in the file system Search indexes which also live on the file system.

How Do Encrypted Properties Protect Data A rogue employee with R/W access to both the database and the file system could Gain access to restricted content. Modify the state of the repository. Bypass auditing when doing all of the above without being detected

How Do Encrypted Properties Protect Data Without access to all the back end components. All access and updates to content must go through the Alfresco repository server Access through the repository server will trigger auditing Many organizations do not let developers access production systems.

Who Asks for this? Organizations that typically ask for this are: Government Agencies Financial Institutions Health Care Organizations This is useful for any organization that must safeguard sensitive information.

How We Did it Jasypt (Java Simplified Encryption) Library Public key to encrypt the sensitive properties Private key to decrypt the sensitive properties Encrypted properties exposed via an extension of PropertyPlaceholderConfigurer

Configuration Tools Public/private key generation utility Property encryption utility Special properties file to include the encrypted property values.

Runtime Support Repository Properties Shared Properties Property Placeholder Configurers Repository Properties Shared Properties Global Properties

Runtime Support Repository Properties Shared Properties Encrypted Properties Property Placeholder Configurers Public Private Key Encryptor Encrypted Properties Private Key Repository Properties Shared Properties Global Properties

We Do Not Use the Keystore The location of the keystore is defined in the properties files This information is not available at the time that access to the private key is needed. The private key is located in a specific location under $ALFRESCO_HOME

How to Configure it Generate the Public and Private Keys Protect the Private Key Generate the encrypted values for your sensitive properties Add these properties to the encrypted properties files Use the properties in alfresco- global.properties

Process Key Generation Public Key Plain text property Encryption Private Key Encrypted Property chmod Encrypted Properties File Global Properties File Create Encrypted Properties File Use Encrypted Properties

Process Key Generation Public Key Plain text property Encryption Private Key Encrypted Property chmod Encrypted Properties File Global Properties File Create Encrypted Properties File Use Encrypted Properties

Process Key Generation Public Key Plain text property Encryption Private Key Encrypted Property chmod Encrypted Properties File Global Properties File Create Encrypted Properties File Use Encrypted Properties

Sample alfresco-encrypted.properties db.password.enc=ENC(QcAf1Lr81meuP2p6Lu9ZQqFY1AsCfoWd)

Process Key Generation Public Key Plain text property Encryption Private Key Encrypted Property chmod Encrypted Properties File Global Properties File Create Encrypted Properties File Use Encrypted Properties

Sample alfresco-global.properties db.password=${db.password.enc}

How Can I Get This? This will be part of Alfresco Version 5-0

What if I Can’t Wait? Please consult support regarding availability of a 4.x version of this.

Thank You! Rich McKnight