Feature #2652

Create a task to generate new initialization vector for values in the confidential storage

Added by Alena Peterová about 2 months ago. Updated 3 days ago.

Confidential Storage
Target version:
Start date:
Due date:
% Done:


Estimated time:


Following #2355, we need some easy way to generate new initialization vector for existing values in the confidential storage. Please create a LRT, or script, which will do this.
This will be used for projects, which are upgraded from a version < 10.6. The values used hardcoded initialization vector, which is a security issue.

The following message can be seen when IdM uses hardcoded IV:

2021-01-20 16:44:24.129  WARN 206299 --- [http-nio-8080-exec-3] e.b.i.c.s.s.impl.DefaultCryptService.decrypt : IdM use old behavior with static vector. Please don't use this deprecated method.

Related issues

Related to CzechIdM - Task #2355: Confidential storage cipher uses hardcoded initialization vectorClosed07/01/202009/16/2020


#1 Updated by Alena Peterová about 2 months ago

  • Related to Task #2355: Confidential storage cipher uses hardcoded initialization vector added

#2 Updated by Radek Tomiška about 2 months ago

  • Assignee deleted (Radek Tomiška)

#3 Updated by Radek Tomiška 25 days ago

  • Assignee set to Alena Peterová

#4 Updated by Alena Peterová 15 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 60

The task was created in apeterova/2652-generate-initialization-vector-task, some little things and documentation remains.
I chose a task over a groovy script, because the classes working with the confidential storage are not ScriptEnabled and I don't want to make such changes in them.

Tested in my local environment for 30 000 confidential configuration properties, the task took 3 resp. 5 minutes (depending if it logged the processed items).

These numbers are from one large project:

select count(*), owner_type from idm_confidential_storage group by owner_type;
 count |                       owner_type                        
    33 | eu.bcvsolutions.idm.acc.entity.SysSystemFormValue
 34559 | eu.bcvsolutions.idm.acc.entity.SysProvisioningOperation
   815 | eu.bcvsolutions.idm.core.model.entity.IdmIdentity
     4 | eu.bcvsolutions.idm.core.model.entity.IdmConfiguration

#5 Updated by Alena Peterová 14 days ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Alena Peterová to Radek Tomiška
  • % Done changed from 60 to 90

I made some adjustments and tested locally also for a value encrypted in the original way (with static initialization vector and null value in the DB). The integration test is in the existing class DefaultIdmConfidentialStorageIntegrationTest.


Documentation (admin, the link for this was added also to the Changelog):
Documentation (dev):

Could you please provide me a feedback?

#6 Updated by Radek Tomiška 11 days ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Radek Tomiška to Alena Peterová
  • % Done changed from 90 to 100

I did test and code review, it's awesome, thx!

Note: Merged into develop (without a change), nice :)

#7 Updated by Radek Tomiška 3 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top