14.0:documentation:security:dev:confidential-storage

Confidential storage

To save sensitive data, the interface ConfidentialStorage has been created in the application. To read the data from the storage, it is necessary to know its owner (entity), and the key.

The storage is currently used for:

  • saving the sensitive data in dynamic forms (EAV) (which are used also for connectors configuration - mainly passwords, etc.) - owner type is e.g. eu.bcvsolutions.idm.acc.entity.SysSystemFormValue
  • saving sensitive configuration items - owner type eu.bcvsolutions.idm.core.model.entity.IdmConfiguration
  • temporary saving the identity password (when it's provisioned to an end system) - owner type eu.bcvsolutions.idm.acc.entity.SysProvisioningOperation

After reading, the value should flow through the application in the form of GuardedString, if possible. This is definitely true for the string values (password, tokens), nevertheless, the confidential storage supports saving of any serializable type of data (GuardedString is not serializable by definition, so the storage explicitly exposes methods for GuardedString).

The current implementation of the confidential storage saves data into a separate database chart (owner, key, value). The next expected implementation counts with the use of Vault as the key-value of the storage ⇒ The owner will be part of the key.

The storage is encrypted by the key that is saved in the application property cipher.crypt.secret.key or in a file which is set in the application property cipher.crypt.secret.keyPath. In basic installation, CzechIdM doesn't contain any key. Make sure to set some key for encryption of the confidential storage before you start the application in production mode.

See more about the settings in the admin documentation.

IdM uses the algorithm AES/CBC/PKCS5Padding (more info) for encryption of the confidential storage values. The algorithm operates with 128bit or 256bit key (key must be only 128 or 256 bits!!). To generate the key, you can use one of these commands:

cat /dev/urandom | tr -dc 'a-z0-9' | head -c 16
cat /dev/urandom | tr -dc 'a-z0-9' | head -c 32

The algorithm uses initialization vectors when encrypting the confidential values. These initialization vectors are stored together with every encrypted value in the confidential storage.

Read more about this task in the admin documentation.