VersionedDataSealer

Overview

Identified by type="Versioned", this <DataSealer> is designed for production use and obtains its key material from a simple flat file that allows a history of N keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily.

The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file.

A simple shell/batch script called seckeygen is provided as a simple means of rotating the key, and the software will typically detect when the file changes and reload it. It's possible to rely on a remote file, but since there's no independent means to secure that, you should be very careful with that approach.

Reference

Attributes

Name

Type

Default

Description

Name

Type

Default

Description

path

local pathname

 

Path to a local file containing the keys to use

url

remote URL

 

Location of a remote file to download containing the keys to use

reloadChanges

boolean

true

When a local file is used, this controls whether to monitor it for changes and reload it automatically

backingFilePath

local pathname

 

When a remote resource is used, this is a required setting defining the location to back up the remote resource to ensure a valid copy at restart

reloadInterval

time in seconds

0

When a remote resource is used, a non-zero value specifies the interval between checks for an updated copy

Child Elements

None

Example

Given an XML configuration of:

Excerpt of shibboleth2.xml
<DataSealer type="Versioned" path="sealer.keys" />

the file sealer.keys might contain:

1:vRSX0mECpffcck4R5QYnkg== 2:TkWVbBgBzSiyy+WvA09s8g== 3:KohVO7WQkf3I0w3ROCurjA==

This would be three AES-128 keys (16 bytes each, 16 * 8 = 128 bits) with the default key labeled "3" and the "1" and "2" keys used to handle older cookies created prior to the use of that key.