On 05/07/2012 04:27 PM, doo...@apache.org wrote: > Author: doogie > Date: Mon May 7 21:27:32 2012 > New Revision: 1335268 > > URL: http://svn.apache.org/viewvc?rev=1335268&view=rev > Log: > FEATURE: Key-encrypting-key(kek) support is now enabled. To enable > support for this, run: > > java org.ofbiz.base.crypto.Main -kek > > and paste that value as a new attribute in entityengine.xml, <delegator > key-encrypting-key="$kekText"/>. Make certain to add that attribute to > *all* delegators that share the same datasources. > > ps: That java command should really be added to build.xml.
I could use some help here. * We need to get the documentation updated for this. * Add mention of this to the monthly features. * Backport to 12.04(other old branches?). It also requires the HashCrypt changes. * Testing. * top-level build.xml calling crypto.Main -kek. The steps to enable kek for new installs: * Before creation of the database(basically, before load-demo(or other load command): * run crypto.Main -kek * modify entityengine.xml: * <delegator ... key-encrypting-key="$kekText"/> * create database, load data. * For each tenant, before running the first time, create a TenantKeyEncryptingKey, with kekText set to crypto.Main -kek(a new value for each tenant). During an upgrade, it's almost the same. However, you might want to create the TenantKeyEncryptingKey table by hand beforehand. If the kek value is created before any new data is written to the database, then everything will just happen for free. I made a database copy of a 595296-era ofbiz install, posted localpostnew at it, generated key-encrypting-key="$kekText", started ofbiz, went to webtools, editting a CreditCard, without changing anything, then verified in the database that CreditCard.cardNumber was different(base64), and a new entry in EntityKeyStore(base64) was added. I verified that the existing value(using hex encoding) was readable before enabling the kek handler in EntityCrypt, and that it was still readable after enabling the handler. > Modified: > ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java > > Modified: > ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1335268&r1=1335267&r2=1335268&view=diff > ============================================================================== > --- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java > (original) > +++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java > Mon May 7 21:27:32 2012 > @@ -63,7 +63,7 @@ public final class EntityCrypto { > throw new EntityCryptoException(e); > } > handlers = new StorageHandler[] { > - // new SaltedBase64StorageHandler(kek), > + new SaltedBase64StorageHandler(kek), > NormalHashStorageHandler, > OldFunnyHashStorageHandler, > }; > >
