Store encryption can only be enabled on the Email Key Manager (EKM) service. Web Key Directory (WKD) doesn’t support it, as it only hosts public keys that are meant to be shared widely and aren’t sensitive themselves.
Since database file(s) can be compromised, individual records should be further encrypted. For this purpose, you should configure the Email Key Manager to encrypt individual records with AES256-GCM as follows:
Property | Description |
---|---|
store.encryption.enable |
Enable the database store encryption. Example: true
|
store.encryption.key.source |
Choose how you’d like the Email Key Manager to retrieve the store encryption key. It will be retrieved once during the Email Key Manager startup. Options are stdin to be prompted for the key, properties to read the key from the properties file, and kmip to retrieve the key from a KMIP server or pkcs11 to retrieve the key from a PKCS#11 server.Example: stdin
|
store.encryption.key.value |
(for store.encryption.key.source=properties ) The encryption password of the store, if you’ve chosen to read it in the properties file.Example: yourpwd
|
store.pkcs11.module |
(for store.encryption.key.source=pkcs11 ) The path to a pkcs#11 shared library. The library can be obtained from your HSM vendor.Example: ./vendor-pkcs11.so
|
store.pkcs11.pin |
(for store.encryption.key.source=pkcs11 ) PKCS#11 token pin. In the case of Fortanix and possibly other vendors, this is actually a path to a pkcs#11 config file.Example: file://vendor-pkcs11.cfg
|
store.kmip.hostname |
(for store.encryption.key.source=kmip ) The hostname of the KMIP server.Example: kmipserver
|
store.kmip.port |
(for store.encryption.key.source=kmip ) The listening port of the KMIP server.Example: 5696
|
store.kmip.key.file |
(for store.encryption.key.source=kmip ) The keystore file containing the certificate to present to the KMIP server for the TLS handshake.Example: keystore.p12
|
store.kmip.key.password optional |
(for store.encryption.key.source=kmip ) The password to access the KMIP keystore file. Empty means the keystore file isn’t encrypted.Example: ` ` (empty) |
store.kmip.encryption.key.identifier |
(for store.encryption.key.source=kmip ) A pointer to the DB encryption key object stored in the KMS. After setting all KMIP properties, run the --create-db-encryption-key command to retrieve it.Example: 7a52b3e8-82e0-4d11-a89a-3f4c9be21e10
|
Create DB Encryption Key
After configuring the properties mentioned above (except the key itself in the case of source=properties
and the identifier in the case of source=kmip
), run the command to create an encryption key as follows:
java -jar flowcrypt-email-key-manager.jar --create-db-encryption-key
This will look at the store.encryption.key.source
to evaluate how to create a new encryption key for the database:
Source | Action |
---|---|
stdin |
A new encryption key will be created and printed out to be inputted into stdin during the service startup. |
properties |
A new encryption key will be created and printed out to be configured in the properties file. |
kmip |
KMIP store will be checked for an existing key. If not present, a new key will be created using the KMIP CREATE command and the new key identifier will be printed to configure in the properties file. |
pkcs11 |
PKCS11 store will be checked for an existing key. If not present, a new key will be created using the KMIP CREATE command and the new key identifier will be printed to configure in the properties file. |