VersionedDataSealer
- Scott Cantor
- Rod Widdowson
- Takeshi Nishimura
Overview
Identified by type="Versioned", this <DataSealer> is designed for production use and obtains its key material from a simple flat file that allows a history of N keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily.
The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file.
A simple shell/batch script called seckeygen is provided as a simple means of rotating the key, and the software will typically detect when the file changes and reload it. It's possible to rely on a remote file, but since there's no independent means to secure that, you should be very careful with that approach.
Reference
Attributes
Name | Type | Default | Description |
|---|---|---|---|
path | local pathname | Â | Path to a local file containing the keys to use |
url | remote URL | Â | Location of a remote file to download containing the keys to use |
reloadChanges | boolean | true | When a local file is used, this controls whether to monitor it for changes and reload it automatically |
backingFilePath | local pathname | Â | When a remote resource is used, this is a required setting defining the location to back up the remote resource to ensure a valid copy at restart |
reloadInterval | time in seconds | 0 | When a remote resource is used, a non-zero value specifies the interval between checks for an updated copy |
Child Elements
None
Example
Given an XML configuration of:
Excerpt of shibboleth2.xml
<DataSealer type="Versioned" path="sealer.keys" />the file sealer.keys might contain:
1:vRSX0mECpffcck4R5QYnkg==
2:TkWVbBgBzSiyy+WvA09s8g==
3:KohVO7WQkf3I0w3ROCurjA==This would be three AES-128 keys (16 bytes each, 16 * 8 = 128 bits) with the default key labeled "3" and the "1" and "2" keys used to handle older cookies created prior to the use of that key.