Ofbiz Encryption Model and Key Rotation

> Hi All,
>
> I am looking to understand on my production system
>
> 1. How and where I can configure encryption keys.
> 2. If I need to rotate the encryption keys, what is the process to do so?
>
>
> Thank you in advance.
>
> Best,
> Pratyush

> Hi Pratyush,
>
>
> Your message has been moderated.
>
> Please subscribe to the user ML for such questions and then use your email
> client.
> See why here http://ofbiz.apache.org/mailing-lists.html.
>
> You will get a better support, people can answer you on the ML.
> The wider the audience the better the answers you might get.
>
> Also it's more work for moderators who have to accept your messages as
> long as you have not subscribed.
> I'll personally no longer accept them (other moderators still could).
>
> Thanks
>
> This said, in what context do you use encryption keys? Can you refer to a
> code section or something?
>
> Jacques
>
> Le 18/03/2020 à 07:30, pratyush Giri a écrit :
> > Hi All,
> >
> > I am looking to understand on my production system
> >
> > 1. How and where I can configure encryption keys.
> > 2. If I need to rotate the encryption keys, what is the process to do so?
> >
> >
> > Thank you in advance.
> >
> > Best,
> > Pratyush
>
>

>
> I have a few entities which I have created for a plugin and these entities have columns in the entities where encrypt="true".
>
> With this, I have tested that when I save some data to these fields, they are encrypted (used a select in SQL to verify).  In my seed data, I have
> also added a Keystore entry with a key and a key text. I do not do anything fancy, just set the entity attributed and then save them.
>
>
> This means that Ofbiz is using some keys to encrypt the columns. Then when I went into my entity reference and checked the Key Store entries, along
> with my key I see a bunch of other keys and key text. Please note that I did a clean all followed by a loadProdData ( no demo data in my instance).
>
> Questions:
> 1. Where are these other keys coming from?

> 3. For security reasons, I would like to rotate keys (say annually). How do I do that? I see EntityDataServices has these following 2 services. is
> that what needs to be done?
> <service name="reencryptPrivateKeys" engine="java" auth="true" transaction-timeout="14400"
> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted in EntityKeyStore with oldKey, using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute name="newKey" type="String" mode="IN" optional="true"/>
> </service> <service name="reencryptFields" engine="java" auth="true" transaction-timeout="14400"
> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" default-value="org.apache.ofbiz"/> </service>
>
> Overall, it would be a good idea to understand these and looking for if someone has the knowledge or understanding around these.
>
> Any suggestions are greatly appreciated.
>
> Best,
> Pratyush
>

>
>
> On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi Pratyush,
>
>
>     Your message has been moderated.
>
>     Please subscribe to the user ML for such questions and then use your email client.
>     See why here http://ofbiz.apache.org/mailing-lists.html.
>
>     You will get a better support, people can answer you on the ML.
>     The wider the audience the better the answers you might get.
>
>     Also it's more work for moderators who have to accept your messages as long as you have not subscribed.
>     I'll personally no longer accept them (other moderators still could).
>
>     Thanks
>
>     This said, in what context do you use encryption keys? Can you refer to a code section or something?
>
>     Jacques
>
>     Le 18/03/2020 à 07:30, pratyush Giri a écrit :
>     > Hi All,
>     >
>     > I am looking to understand on my production system
>     >
>     > 1. How and where I can configure encryption keys.
>     > 2. If I need to rotate the encryption keys, what is the process to do so?
>     >
>     >
>     > Thank you in advance.
>     >
>     > Best,
>     > Pratyush
>

> Hi Pratyush,
>
> Inline...
>
> Le 18/03/2020 à 19:12, pratyush Giri a écrit :
> > Hi Jacques,
> >
> >
> > Forst, I thought I have posted it to the User ML, and if it reached somewhere else, I apologize.
>
> Please read my email. It's not that you did not post to the user ML, but that you are not subscribed.
>
> This time you sent a message directly to me, please don't.
> Again: SUBSCRIBE to the user ML as explained below, and more in the provided link.
>
>
> >
> > I have a few entities which I have created for a plugin and these entities have columns in the entities where encrypt="true".
> >
> > With this, I have tested that when I save some data to these fields, they are encrypted (used a select in SQL to verify).  In my seed data, I have
> > also added a Keystore entry with a key and a key text. I do not do anything fancy, just set the entity attributed and then save them.
> >
> >
> > This means that Ofbiz is using some keys to encrypt the columns. Then when I went into my entity reference and checked the Key Store entries, along
> > with my key I see a bunch of other keys and key text. Please note that I did a clean all followed by a loadProdData ( no demo data in my instance).
> >
> > Questions:
> > 1. Where are these other keys coming from?
>
> OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The "other" keys are coming from there.
>
>
> > 2. Which key was used to encrypt these columns?
>
> Have a look at EntityCrypto class to get more information about fields encryption.
>
>
> > 3. For security reasons, I would like to rotate keys (say annually). How do I do that? I see EntityDataServices has these following 2 services. is
> > that what needs to be done?
> > <service name="reencryptPrivateKeys" engine="java" auth="true" transaction-timeout="14400"
> > location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted in EntityKeyStore with oldKey, using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute name="newKey" type="String" mode="IN" optional="true"/>
> > </service> <service name="reencryptFields" engine="java" auth="true" transaction-timeout="14400"
> > location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" default-value="org.apache.ofbiz"/> </service>
> >
> > Overall, it would be a good idea to understand these and looking for if someone has the knowledge or understanding around these.
> >
> > Any suggestions are greatly appreciated.
> >
> > Best,
> > Pratyush
> >
> You may indeed use these (not used OOTB) services to rotate keys
>
> Jacques
>
>
> >
> >
> > On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
> >
> >     Hi Pratyush,
> >
> >
> >     Your message has been moderated.
> >
> >     Please subscribe to the user ML for such questions and then use your email client.
> >     See why here http://ofbiz.apache.org/mailing-lists.html.
> >
> >     You will get a better support, people can answer you on the ML.
> >     The wider the audience the better the answers you might get.
> >
> >     Also it's more work for moderators who have to accept your messages as long as you have not subscribed.
> >     I'll personally no longer accept them (other moderators still could).
> >
> >     Thanks
> >
> >     This said, in what context do you use encryption keys? Can you refer to a code section or something?
> >
> >     Jacques
> >
> >     Le 18/03/2020 à 07:30, pratyush Giri a écrit :
> >     > Hi All,
> >     >
> >     > I am looking to understand on my production system
> >     >
> >     > 1. How and where I can configure encryption keys.
> >     > 2. If I need to rotate the encryption keys, what is the process to do so?
> >     >
> >     >
> >     > Thank you in advance.
> >     >
> >     > Best,
> >     > Pratyush
> >
>

> Hi Jacques,
>
> Apologies for sending a direct email.
>
> Follow up question:
>
> When I start ofbiz, I see a few keys in Entity Store.
>
> How do I know which key was used to encrypt OOTB so that I can use my key to reencrypt the provate leys and data fields?
>
> I am assuming OOTB, AES is used with a 256-bit key length. Can you kindly confirm?
>
> Best,
> Pratyush
>
>
> On 2020/03/21 08:32:51, Jacques Le Roux <[hidden email]> wrote:
>> Hi Pratyush,
>>
>> Inline...
>>
>> Le 18/03/2020 à 19:12, pratyush Giri a écrit :
>>> Hi Jacques,
>>>
>>>
>>> Forst, I thought I have posted it to the User ML, and if it reached somewhere else, I apologize.
>> Please read my email. It's not that you did not post to the user ML, but that you are not subscribed.
>>
>> This time you sent a message directly to me, please don't.
>> Again: SUBSCRIBE to the user ML as explained below, and more in the provided link.
>>
>>
>>> I have a few entities which I have created for a plugin and these entities have columns in the entities where encrypt="true".
>>>
>>> With this, I have tested that when I save some data to these fields, they are encrypted (used a select in SQL to verify).  In my seed data, I have
>>> also added a Keystore entry with a key and a key text. I do not do anything fancy, just set the entity attributed and then save them.
>>>
>>>
>>> This means that Ofbiz is using some keys to encrypt the columns. Then when I went into my entity reference and checked the Key Store entries, along
>>> with my key I see a bunch of other keys and key text. Please note that I did a clean all followed by a loadProdData ( no demo data in my instance).
>>>
>>> Questions:
>>> 1. Where are these other keys coming from?
>> OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The "other" keys are coming from there.
>>
>>
>>> 2. Which key was used to encrypt these columns?
>> Have a look at EntityCrypto class to get more information about fields encryption.
>>
>>
>>> 3. For security reasons, I would like to rotate keys (say annually). How do I do that? I see EntityDataServices has these following 2 services. is
>>> that what needs to be done?
>>> <service name="reencryptPrivateKeys" engine="java" auth="true" transaction-timeout="14400"
>>> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted in EntityKeyStore with oldKey, using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute name="newKey" type="String" mode="IN" optional="true"/>
>>> </service> <service name="reencryptFields" engine="java" auth="true" transaction-timeout="14400"
>>> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" default-value="org.apache.ofbiz"/> </service>
>>>
>>> Overall, it would be a good idea to understand these and looking for if someone has the knowledge or understanding around these.
>>>
>>> Any suggestions are greatly appreciated.
>>>
>>> Best,
>>> Pratyush
>>>
>> You may indeed use these (not used OOTB) services to rotate keys
>>
>> Jacques
>>
>>
>>>
>>> On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>      Hi Pratyush,
>>>
>>>
>>>      Your message has been moderated.
>>>
>>>      Please subscribe to the user ML for such questions and then use your email client.
>>>      See why here http://ofbiz.apache.org/mailing-lists.html.
>>>
>>>      You will get a better support, people can answer you on the ML.
>>>      The wider the audience the better the answers you might get.
>>>
>>>      Also it's more work for moderators who have to accept your messages as long as you have not subscribed.
>>>      I'll personally no longer accept them (other moderators still could).
>>>
>>>      Thanks
>>>
>>>      This said, in what context do you use encryption keys? Can you refer to a code section or something?
>>>
>>>      Jacques
>>>
>>>      Le 18/03/2020 à 07:30, pratyush Giri a écrit :
>>>      > Hi All,
>>>      >
>>>      > I am looking to understand on my production system
>>>      >
>>>      > 1. How and where I can configure encryption keys.
>>>      > 2. If I need to rotate the encryption keys, what is the process to do so?
>>>      >
>>>      >
>>>      > Thank you in advance.
>>>      >
>>>      > Best,
>>>      > Pratyush
>>>

> Hi Pratyush,
>
> If you look at https://demo-trunk.ofbiz.apache.org/webtools/control/entity/find/EntityKeyStore
>
> you will see the Key Names. Those are the keys you are looking for. The Key Texts are the field values encrypted.
>
> Yes, OOTB, AES is used with a 256-bit key length. By default OFBiz uses Shiro for a long time now (there were older methods now deprecated)
>
> HTH
>
> Jacques
>
> Le 23/03/2020 à 22:03, pratyush Giri a écrit :
>> Hi Jacques,
>>
>> Apologies for sending a direct email.
>>
>> Follow up question:
>>
>> When I start ofbiz, I see a few keys in Entity Store.
>>
>> How do I know which key was used to encrypt OOTB so that I can use my key to reencrypt the provate leys and data fields?
>>
>> I am assuming OOTB, AES is used with a 256-bit key length. Can you kindly confirm?
>>
>> Best,
>> Pratyush
>>
>>
>> On 2020/03/21 08:32:51, Jacques Le Roux <[hidden email]> wrote:
>>> Hi Pratyush,
>>>
>>> Inline...
>>>
>>> Le 18/03/2020 à 19:12, pratyush Giri a écrit :
>>>> Hi Jacques,
>>>>
>>>>
>>>> Forst, I thought I have posted it to the User ML, and if it reached somewhere else, I apologize.
>>> Please read my email. It's not that you did not post to the user ML, but that you are not subscribed.
>>>
>>> This time you sent a message directly to me, please don't.
>>> Again: SUBSCRIBE to the user ML as explained below, and more in the provided link.
>>>
>>>
>>>> I have a few entities which I have created for a plugin and these entities have columns in the entities where encrypt="true".
>>>>
>>>> With this, I have tested that when I save some data to these fields, they are encrypted (used a select in SQL to verify).  In my seed data, I have
>>>> also added a Keystore entry with a key and a key text. I do not do anything fancy, just set the entity attributed and then save them.
>>>>
>>>>
>>>> This means that Ofbiz is using some keys to encrypt the columns. Then when I went into my entity reference and checked the Key Store entries, along
>>>> with my key I see a bunch of other keys and key text. Please note that I did a clean all followed by a loadProdData ( no demo data in my instance).
>>>>
>>>> Questions:
>>>> 1. Where are these other keys coming from?
>>> OOTB there are some encrypted fields, eg in accounting-entitymodel.xml. The "other" keys are coming from there.
>>>
>>>
>>>> 2. Which key was used to encrypt these columns?
>>> Have a look at EntityCrypto class to get more information about fields encryption.
>>>
>>>
>>>> 3. For security reasons, I would like to rotate keys (say annually). How do I do that? I see EntityDataServices has these following 2 services. is
>>>> that what needs to be done?
>>>> <service name="reencryptPrivateKeys" engine="java" auth="true" transaction-timeout="14400"
>>>> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptPrivateKeys"> <description>Re-encrypt the private keys, encrypted
>>>> in EntityKeyStore with oldKey, using the newKey.</description> <attribute name="oldKey" type="String" mode="IN" optional="true"/> <attribute
>>>> name="newKey" type="String" mode="IN" optional="true"/>
>>>> </service> <service name="reencryptFields" engine="java" auth="true" transaction-timeout="14400"
>>>> location="org.apache.ofbiz.entityext.data.EntityDataServices" invoke="reencryptFields"> <description>Re-encrypt all the encrypted fields in the
>>>> data model.</description> <attribute name="groupName" type="String" mode="IN" optional="true" default-value="org.apache.ofbiz"/> </service>
>>>>
>>>> Overall, it would be a good idea to understand these and looking for if someone has the knowledge or understanding around these.
>>>>
>>>> Any suggestions are greatly appreciated.
>>>>
>>>> Best,
>>>> Pratyush
>>>>
>>> You may indeed use these (not used OOTB) services to rotate keys
>>>
>>> Jacques
>>>
>>>
>>>>
>>>> On Wed, Mar 18, 2020 at 12:30 AM Jacques Le Roux <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>>      Hi Pratyush,
>>>>
>>>>
>>>>      Your message has been moderated.
>>>>
>>>>      Please subscribe to the user ML for such questions and then use your email client.
>>>>      See why here http://ofbiz.apache.org/mailing-lists.html.
>>>>
>>>>      You will get a better support, people can answer you on the ML.
>>>>      The wider the audience the better the answers you might get.
>>>>
>>>>      Also it's more work for moderators who have to accept your messages as long as you have not subscribed.
>>>>      I'll personally no longer accept them (other moderators still could).
>>>>
>>>>      Thanks
>>>>
>>>>      This said, in what context do you use encryption keys? Can you refer to a code section or something?
>>>>
>>>>      Jacques
>>>>
>>>>      Le 18/03/2020 à 07:30, pratyush Giri a écrit :
>>>>      > Hi All,
>>>>      >
>>>>      > I am looking to understand on my production system
>>>>      >
>>>>      > 1. How and where I can configure encryption keys.
>>>>      > 2. If I need to rotate the encryption keys, what is the process to do so?
>>>>      >
>>>>      >
>>>>      > Thank you in advance.
>>>>      >
>>>>      > Best,
>>>>      > Pratyush
>>>>