Docs Menu

H2 Database Setup

Prerequisites
You’re familiar with the Email Key Manager, External Service, and Web Key Directory services.

This is an alternative database store replacement for Postgres in Email Key Manager (EKM), External Service (FES), and Web Key Directory (WKD). It’s primarily used for evaluating and testing purposes. Please refer to the PostgreSQL or CockroachDB guides as in practice, our customers use these databases.

H2 Database Configurations

The example in the next section is for Email Key Manager. Change appropriately when creating the database store for other services. For WKD, db_ekm becomes db_wkd, and so on. This is a recommended naming convention, but you’re free to choose your own.

EKM Configurations

In the production setup process, you should allow the service to connect to the H2 database for keys and metadata storage. Sensitive data stored in this database is further encrypted using the Store Encryption Key feature.

Property Description
store.type Specifies we are persisting into a database.
Example: DatabaseStore
store.database.vendor Specifies the database vendor.
Example: h2
store.h2.database.path H2 JDBC URL without the jdbc:h2: prefix. See the H2 features webpage.
Example: file:/data/enterprise_server_h2
store.h2.connections The maximum connection size that the database pool is allowed to reach. We recommend having 3 connections per CPU core.
Default value: 10
Example: 10
store.h2.entire.database.encrypted If the database file is encrypted with AES, the value is true. If the database file isn’t encrypted, the value is false. This is separate from the Store Encryption Key.
Example: false
store.h2.entire.database.encryption.password (for store.h2.entire.database.encrypted=true) The AES encryption password.
Example: aes_password
store.h2.update.schema
optional 		If schema should be created or updated when the service starts the default value is true.
Example: true

Database store encryption (EKM only)

See the DB Store Encryption guide to enable and configure database store encryption for sensitive information (e.g. private keys).

Test connection

To test whether the service can communicate with the configured database, run the following command:

java -jar flowcrypt-<service-name>.jar --test-store-connection

This command will connect to the data store and issue one search command to test that the connection between EKM and the database is well configured.

The successful output is:

INFO  com.flowcrypt.utils.Reflection - Registering DatabaseStore as Store implementation
INFO  c.f.keymanager.TestStoreConnection - initiating test
INFO  c.f.keymanager.TestStoreConnection - store session started successfully
INFO  c.f.keymanager.TestStoreConnection - testing store search command
INFO  c.f.keymanager.TestStoreConnection - round trip latency: 8ms
INFO  c.f.keymanager.TestStoreConnection - closing session
INFO  c.f.keymanager.TestStoreConnection - success
Content © FlowCrypt a.s.
Layout from Cockroach Labs,CC Attr 4.0, edited