Property encryption

Property Encryption

For the new property encryption mechanism, a password is required. This password serves as the secret key that is used for encryption. We recommend that you use a strong password.

The password can be passed to the Runtime, Customer Data Service and DCM Lists Service as a property:

blueriq.properties.encryption.password = 190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Alternatively, this property can be passed to the JVM as a command line parameter:

-Dblueriq.properties.encryption.password=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Please note the following:

• The application decrypts properties at startup. If decryption fails, the application will not start. Usual causes are that no password is configured or that the encryption password was not the password that the property was encrypted with.
• Contrary to the old mechanism, any property can be encrypted.

Document Renderer Service

The Document Renderer Service has the same mechanism for encrypting any property value.

The best practice for configuring the password is to set it as an environment variable like this:

BLUERIQ__PROPERTIES__ENCRYPTION__PASSWORD=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Or to pass it as a runtime argument on startup like this:

--blueriq:properties:encryption:password=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Technically you can also set it normally as a property in the .yml file, but this is not recommended as it defeats the purpose of encrypting your properties when the password is there in the same file.

Encrypting passwords with the Blueriq Encryptor

The BlueriqEncryptor is located in the Runtime\Java\Webapp\Tools folder in the release zip. This is a Java console application that can be used to create encrypted passwords to be used for password properties in the Runtime.

Start the application as a java executable jar:

> java -jar BlueriqEncryptor.jar --password <your_encryption_password>
Enter the value to be encrypted: 

The application will ask for a value to be encrypted. Enter a value and press enter to get the encrypted value, for example 'welcome'.

Enter the value to be encrypted: welcome
Encrypted value for welcome = ENC(TusxwbXq0jYIAFPvH5ljXZu70V1bt6i4Uwi4DxAU5UnE8tpsxMPM2z0QK/ENy50Y)
Enter the value to be encrypted:

In this case the encrypted value is ENC(TusxwbXq0jYIAFPvH5ljXZu70V1bt6i4Uwi4DxAU5UnE8tpsxMPM2z0QK/ENy50Y). This value may be used in in property/yml files.

Afterwards it is possible to enter a new value to be encrypted. Exit the application with Ctrl-C or leave the input blank.

Encryption algorithm

The encryption uses the following parameters:

• AES encryption in CBC mode with PKCS#5 padding with 256 bit key.
• Key Derivation Function: PBKDF2 (Password-Based Key Derivation Function 2) with SHA-512 hash function and 1000 iterations.
• Using a random 16 bit salt.
• Using a random 16 bit initialization vector.

The Document Renderer Service assumes this algorithm is used and currently supports no other means for encryption!

Customizing property encryption

The property encryption mechanism uses sensible defaults. If you want to customize the way your properties are encrypted/decrypted, you can add an org.jasypt.encryption.pbe.PBEStringEncryptor bean to your project. You can reference this bean by setting this property:

jasypt.encryptor.bean = <name_of_the_custom_bean>