You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2020/09/01 11:16:07 UTC

Re: Ofbiz Security: Where to keep encryption keys

Hi Pratyush,

There a many ways to be safe. Somehow related: https://issues.apache.org/jira/browse/OFBIZ-11187

HTH

Jacques

Le 31/08/2020 à 23:31, pratyush Giri a écrit :
> Hi Ofbiz Security Experts,
>
> Requirement: I have an encryption key. Where should I keep it?
>
> >From the various documentation and code review, I found that I can keep them in the entity "EntityKeyStore". Ideally per my understanding, the encryption key should be kept elsewhere so that in case the DB is compromised for any reason, the keys are not.
>
> What are the production instructions for storing the keys? Is it possible that I can keep the encryption key(s) in another System (say S3) and then use it? That way I do not have to store the keys in the same database whose data is encrypted with it.
>
> I know this is not a new problem, so I am hopeful that there are some solutions to this.
>
> Best,
> Pratyush