Support symmetric encryption for cipher tool and secure vault using an encryption key.

[AqeelMuhammad]

Description

Currently, APIM uses asymmetric RSA encryption. When the cipher tool is configured, it requests the keystore password, and the default keystore type is JKS.

According to the improvements introduced in [1], we need to convert the JKS keystore to PKCS12 in order to store the encryption key in the keystore, since JKS does not support symmetric key storage. However, as APIM will continue to use the JKS keystore type, we need to support the cipher tool to encrypt the password using a provided encryption key and decrypt it using the Secure Vault.

[1] wso2/product-is#20610

Version

4.7.0

[AqeelMuhammad]

System Property Introduction

Problem

Currently, to run the cipher tool in symmetric mode, the following command is used:

Command 1

./ciphertool.sh -Dconfigure -Dsymmetric

In the current implementation, it is required to enter the keystore password, and a PKCS12 keystore is used to store the encryption key. However, we need to use a JKS-type keystore, and we still need to support symmetric encryption for the cipher tool. To achieve this, we must obtain the encryption key instead of the keystore password. To implement this change, we need to introduce a property when running the cipher tool to indicate that it is being executed using an input key-based symmetric encryption.

Solution

We have identified two options to support symmetric key encryption by allowing the user to enter a key when running the cipher tool.

• Option 1: Enable/Disable property

  • A property to indicate that the cipher tool should request an encryption key if the property is present in the command. If it is not present, the tool will run in the existing keystore-based mode.
  • -Dkey.based.encryption

• Option 2: Key-value property

  • A property to specify the encryption type used for symmetric encryption. Here, a property with a value is provided to identify the type/mode of symmetric key encryption.
  • -Dsymmetric.encryption.mode=key

Conclusion

I plan to proceed with Option 1, since we currently run the tool using Command 1 above, and it is unnecessary to add another property to determine the type/mode of symmetric encryption. With this approach, symmetric key encryption with an encryption key input can be supported by default when the property is present.

If we choose Option 2, there would be only one mode, and the value would always remain the same. Therefore, instead of using a key-value property, it is better to use an enable/disable property. When the property is present in the command, the tool will run the symmetric encryption in encryption key input mode. If it is not present, it will run in the default mode, which uses a keystore.

So the final command looks like;

./ciphertool.sh -Dconfigure -Dsymmetric -Dkey.based.encryption

Key Rotation Mode

For the rotation mode, I plan to use -Dold.key=<Old encryption key> similar to the current implementation with the alias of the old keystore password.

./ciphertool.sh -Drotate -Dold.key=03e0caf0ab881d1184131cdb5dd62d519456f5d04424dc5924fd131d287a958c -Dsymmetric -Dkey.based.encryption

[pubudu538]

Can you list down the commands used for encryption? I would like to understand the existing commands and how we utilize those.

[AqeelMuhammad]

---------Cipher Tool Help---------

By default, CipherTool can be used for creating encrypted value for given plain text using RSA algorithm

Options :

        -Dconfigure                           This option would allow user to secure plain text passwords in carbon configuration files. CipherTool will replace all the passwords listed in cipher-text.properties file with encrypted values and modify related password elements in the configuration files with secret alias names. Also secret-conf.properties file is modified with the default configuration data

        -Dchange                              This option would allow user to change the specific password which has been secured

        -Drotate                              This option is used to rotate the existing encrypted values to a new secret alias. Requires providing the old alias.

        -Dsymmetric                           This option allows the user to use symmetric encryption for creating encrypted values. It can be used with -Dconfigure, -Dchange, or -Drotate.

        -Dold.alias=<Old secret alias>        This specifies the old alias used in rotate mode.

        -Dpassword=<password>                 This option would allow user to provide the password as a command line argument. NOTE: Providing the password in command line arguments list is not recommended.

        -Dorg.wso2.CipherTransformation=<Transformation algorithm>       This option would allow user to encrypt plain text using the given transformation algorithm. Ex: -Dorg.wso2.CipherTransformation=RSA/ECB/OAEPwithSHA1andMGF1Padding

Above is the cipher tool help, and below are some existing commands currently used;

Encrypt Passwords

Symmetric - ./ciphertool.sh -Dconfigure -Dsymmetric
Asymmetric - ./ciphertool.sh -Dconfigure

Change encrypted passwords

Symmetric - ./ciphertool.sh -Dchange -Dsymmetric
Asymmetric - ./ciphertool.sh -Dchange

Rotating Encryption Secrets

Symmetric - ./ciphertool.sh -Drotate -Dold.alias=wso2carbon -Dsymmetric
Asymmetric - ./ciphertool.sh -Drotate -Dold.alias=wso2carbon