Task #1163


Encryption key on confidential storage cannot be changed

Added by Petr Fišer almost 6 years ago. Updated over 5 years ago.

Ondřej Kopr
Confidential Storage
Target version:
Start date:
Due date:
% Done:


Estimated time:


Once set up, the confidential storage key cannot be changed.
I encountered this problem on a project - due to a typo in configuration, the demo key was used. I found out after connecting end systems and syncing users.
To correct the issue, the only way is to delete whole IdM database, change the encryption key, and configure everything anew.

Is it possible to change confidential storage encryption key without destroying data (provided I know the old key)? If yes, how? If no, please add such a feature.
When changing to stronger keys on already established IdM installation, this could be a lifesaver.

Actions #1

Updated by Ondřej Kopr almost 6 years ago

In current implementation of confidential storage isn't possible change confidential key during production mode. This key must be same for idm lifetime. In CzechIdM installation tutorial is required step with generate new key for production, this step is highly required, because after insert first value into confidential storage doesnt exists way how to change key for crypt.

It is possible to create new long running task that recrypt all values in confidential storage with new key. But isn't this security risk? Implementation of this LRT isn't hard, but it will be better to discuss this with Zdenek.

Actions #2

Updated by Petr Fišer almost 6 years ago

I too am not really sure that we should have this feature directly in the IdM. But we have to have some way of changing the key.
This definitely needs some design.

Actions #3

Updated by Ondřej Kopr almost 6 years ago

  • Status changed from New to In Progress
  • Target version set to Lapis (8.2.0)
Actions #4

Updated by Ondřej Kopr almost 6 years ago

  • Status changed from In Progress to Needs feedback
  • % Done changed from 0 to 90

I implemented new long running task: ChangeConfidentialStorageKey. This task must be started after you change confidential storage key to new (this behavior is required). As parameter is given old storage key (the old key will be saved as parameter in LRT and it is visible in plain text).

Changes in API:
  • to confidential storage was added new method changeCryptKey, the method read value and decrypt it with old key and resave with new key,
  • method toDto in confidetial storage service was updated with trimmed behavior - if dto is trimmed, value will not be decrypted. (in standart behavior is this service used only for agenda), standart get works correctly (value will be decrypted)

tests are included.

Hardest thing on the feature was tests, I'm little bit stuck on it :(

documentation update:

commit: (branch develop)

Please Radek could you make a review? Thank you.

Actions #5

Updated by Ondřej Kopr almost 6 years ago

  • Assignee changed from Ondřej Kopr to Radek Tomiška
Actions #6

Updated by Radek Tomiška over 5 years ago

  • Status changed from Needs feedback to Closed
  • Assignee changed from Radek Tomiška to Ondřej Kopr
  • % Done changed from 90 to 100

I did test and review, it works and code looks nice, thx! I fixed only some minor issues:
- better exception is catched, when key is changed (can be run repetitively)
- better api for ConfidentialStorage service was added - is not needed to load entity - dto can be given (the same as FormService, TokenManager ...)



Also available in: Atom PDF