9.2:documentation:confidential_storage

Confidential storage agenda

When you install new instance of CzechIdM, is required generate new key for crypt all values in confidential storage. The key can be changed by long running task ChangeConfidentialStorageKey, the LRT you must start after change crypt key, as parameter will be given old confidential storage key.

Agenda in Settings (left menu), where confidential storage values are readable. It is in read only mode, so values cannot be changed, removed or added some more. Confidential storage permission is needed, otherwise you cannot get in confidential storage agenda. You have to create new role and in tab Permissions add permission (entity type = Confidential storage, permission = READ). Now any user with this role assigned has access to Confidential storage agenda.

The confidential storage is currently used for:

  • saving the confidentials values from EAV forms
  • saving sensitive configuration items

The storage detail shows these information:

  • Owner Id - Identifier of entity, which owns confidential storage value.
  • Owner type - It's entity type of owner. If system entity has saved value, owner type is SysSystem. But if value is in extended attribute of system, it is saved by extended attribute of system, so owner type would be SysSystemFormValue. It is shown on previous picture.
  • Key - It defines value. It is one third of identificator of value. To find one value, exact which we want, is needed key, owner id and owner type.
  • Value - It is decrypted password.
  • Creator - Identity, which created confidential value.
  • Created - Date, when confidential storage value was created.