Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Overview

Identified by type="Versioned", this <DataSealer> is designed for production use and obtains its key material from a simple flat file that allows a history of N keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily.

The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file.

A simple shell/batch script called seckeygen is provided as a simple means of rotating the key, and the software will typically detect when the file changes and reload it. It's possible to rely on a remote file, but since there's no independent means to secure that, you should be very careful with that approach.

Reference

Attributes

Name

Type

Default

Description

path

local pathname


Path to a local file containing the keys to use

url

remote URL


Location of a remote file to download containing the keys to use

reloadChanges

boolean

true

When a local file is used, this controls whether to monitor it for changes and reload it automatically

backingFilePath

local pathname


When a remote resource is used, this is a required setting defining the location to back up the remote resource to ensure a valid copy at restart

reloadInterval

time in seconds

0

When a remote resource is used, a non-zero value specifies the interval between checks for an updated copy

Child Elements

None

Example

Given an XML configuration of:

Excerpt of shibboleth2.xml
<DataSealer type="Versioned" path="sealer.keys" />

the file sealer.keys might contain:

1:vRSX0mECpffcck4R5QYnkg==
2:TkWVbBgBzSiyy+WvA09s8g==
3:KohVO7WQkf3I0w3ROCurjA==

This would be three AES-128 keys (16 bytes each, 16 * 8 = 128 bits) with the default key labeled "3" and the "1" and "2" keys used to handle older cookies created prior to the use of that key.

  • No labels