7.3:dev:security:confidential-storage

Confidential storage

To save sensitive data, the interface ConfidentialStorage has been created in the application. To read the data from the warehouse, it is necessary to know its owner (entity, and the key.

The warehouse is currently used for:

  • saving the identity password
  • saving the sensitive data in dynamic forms (which are used also for connectors configuration, etc.)
  • saving sensitive configuration items (coming soon)

After reading, the value should flow through the application in the form of GuardedString, if possible. This is definitely true for the string values (password, tokens), nevertheless, the coded warehouse supports saving of any serializable type of data (GuardedString is not serializable by definition, so the warehouse displays methods for GuardedString only).

The current implementation of the coded warehouse saves data into a separate database chart (owner, key, value). The next expected implementation counts with the use of Vault as the key-value of the warehouse ⇒ The owner will be part of the key.

Storage encryption is solved using a key that is available in java resource. In basic installation of CzechIdMng is available demo key. This key is good to replace with the newly generated key, more about encryption: here.