You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/04/02 01:34:33 UTC

[james-project] 06/08: JAMES-3524 Document blobStore encryption

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 8ead5fcf073a8bb426dc3e4a66431e32a7045dc6
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Fri Mar 26 15:25:19 2021 +0700

    JAMES-3524 Document blobStore encryption
---
 .../pages/distributed/configure/blobstore.adoc     | 27 ++++++++++++++++
 src/site/xdoc/server/config-blobstore.xml          | 36 +++++++++++++++++++++-
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/docs/modules/servers/pages/distributed/configure/blobstore.adoc b/docs/modules/servers/pages/distributed/configure/blobstore.adoc
index 139c961..c256b13 100644
--- a/docs/modules/servers/pages/distributed/configure/blobstore.adoc
+++ b/docs/modules/servers/pages/distributed/configure/blobstore.adoc
@@ -35,6 +35,33 @@ Consequently, all the requested deletions will not be performed, meaning that bl
 
 NOTE: If you are upgrading from James 3.5 or older, the deduplication was enabled.
 
+=== Encryption choice
+
+Data can be optionally encrypted with a symmetric key using AES before being stored in the blobStore. As many user relies
+on third party for object storage, a compromised third party will not escalate to a data disclosure. Of course, a
+performance price have to be paid, as encryption takes resources.
+
+*encryption.aes.enable* : Optional boolean, defaults to false.
+
+If AES encryption is enabled, then the following properties MUST be present:
+
+ - *encryption.aes.password* : String
+ - *encryption.aes.salt* : Hexadecimal string
+
+WARNING: Once chosen this choice can not be reverted, all the data is either clear or encrypted. Mixed encryption
+is not supported.
+
+Here is an example of how you can generate the above values (be mindful to customize the byte lengths in order to add
+enough entropy.
+
+....
+# Password generation
+openssl rand -base64 64
+
+# Salt generation
+generate salt with : openssl rand -hex 16
+....
+
 === Cassandra BlobStore Cache
 
 A Cassandra cache can be enabled to reduce latency when reading small blobs frequently.
diff --git a/src/site/xdoc/server/config-blobstore.xml b/src/site/xdoc/server/config-blobstore.xml
index 92de092..15ae7b2 100644
--- a/src/site/xdoc/server/config-blobstore.xml
+++ b/src/site/xdoc/server/config-blobstore.xml
@@ -85,7 +85,41 @@
                         Maximum size of stored objects expressed in bytes.</dd>
                 </dl>
             </subsection>
-
+            <subsection name="Encryption choice">
+                <p>
+                    Data can be optionally encrypted with a symmetric key using AES before being stored in the blobStore. As many user relies
+                    on third party for object storage, a compromised third party will not escalate to a data disclosure. Of course, a
+                    performance price have to be paid, as encryption takes resources.
+                </p>
+                <dl>
+                    <dt><strong>encryption.aes.enable</strong></dt>
+                    <dd>Optional boolean, defaults to false</dd>
+                </dl>
+                <p>If AES encryption is enabled, then the following properties MUST be present:</p>
+                <dl>
+                    <dt><strong>encryption.aes.password</strong></dt>
+                    <dd>String</dd>
+                </dl>
+                <dl>
+                    <dt><strong>encryption.aes.salt</strong></dt>
+                    <dd>Hexadecimal string.</dd>
+                </dl>
+                <p><b>WARNING:</b> Once chosen this choice can not be reverted, all the data is either clear or encrypted. Mixed encryption
+                    is not supported.</p>
+                <p>
+                    Here is an example of how you can generate the above values (be mindful to customize the byte lengths in order to add
+                    enough entropy.
+                </p>
+                <pre>
+                    <code>
+# Password generation
+openssl rand -base64 64
+
+# Salt generation
+generate salt with : openssl rand -hex 16
+                    </code>
+                </pre>
+            </subsection>
             <subsection name="ObjectStorage BlobStore Buckets Configuration">
                 <dl>
                     <dt><strong>objectstorage.bucketPrefix</strong></dt>

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org