To avoid showing for example passwords or PINs as plain readable text, such sensitive data in PRIME configuration files can be scrambled.
Scrambling means that the data is merely obfuscated, since true encryption would require someone typing a password on every system startup. The data is encrypted with AES-256, with a key stored in a java class.
Scrambling can be used for example in database.properties, system.properties and engineSignEncryptConfig.xml.
The following prerequisites apply:
- All properties files must use UTF-8 character encoding
- Attention must be paid, as we also use properties files as constructor arguments in some classes, mostly PKI connectors. Until now, these may not be scrambled.
- Be careful not to use the
.encryptedsyntax in properties files that are not passed to the
ScramblingPropertyConfigurers, as these will not be scrambled and the setting of the values will fail, since
.encryptedwill be interpreted as a part of the key.
- Properties files inside
.jarfiles will not be scrambled and using the
.encryptedsyntax will lead to errors, since spring will try to set a property named
encrypted. You can however set already encrypted properties inside a
- Trying to scramble a property that spans over several lines will result in an error.
- Open the file for editing.
.encryptedto any sensitive keys in the file, for example
pin. When the system starts, the values will be encrypted with a key stored in PRIME. See the examples below.
Only properties files outside of a
.jar file will be replaced.
Example: Encrypt the database username and password in database.properties:
Example: Encrypt the certificate PIN in engineSignEncryptConfig.xml:
Example: If you use the truststore in system.properties, encrypt the truststore password:
- No labels