Encryption key management : Indyco Support Center

Available since indyco 4.4.0.0

Introduction

The password of the LDAP service account is encrypted reversibly using an encryptionKey and then stored securely in the database.

This encryption mechanism ensures the protection of sensitive credentials while allowing decryption when necessary.

By default, the encryptionKey is generated automatically during the server startup process. The generated key is stored in a file named appsecret.json.

Customizing the Encryption Key

System administrators have the option to customize the encryptionKey. The customization process varies depending on whether you are using the on-premise version or the containerized version of Indyco.

On-Premise Version

Before starting the application, you must create and populate the appsecret.json file with the following JSON structure:

{
  "Indyco": {
    "Secrets": {
       "LDAPCredentialsEncryptionKey": "longlongstring"
     }
   }
}

Place the appsecret.json file in the installation directory before starting the server.

Containerized Version

For the containerized version, create a file named appSecrets.txt containing only the encryption string (without any JSON structure). For example:

longlongstring

Next, update the docker-compose file to include a secrets section as shown below:

secrets:  
  appSecrets:
    file: appSecrets.txt

Finally, pass the secret to the container where Indyco will run:

indyco:  
  secrets:  
    - appSecrets

Modifying the Encryption Key

It is possible to modify the encryptionKey after it has been set. However, if a password have already been encrypted using the current encryptionKey, replacing the key will make this password unreadable.

To update the encryption key:

Replace the old encryptionKey with the new one.
- For the on-premise version, update the appsecret.json file.
- For the containerized version, update the appSecrets.txt file.
If you're using conteinerized version you have to redeploy container, for on premise version reboot is needed.
Go to the LDAP configuration form and re-enter the LDAP service account password.

This step ensures that the new encryptionKey is used to re-encrypt the password.

Encryption key management Print

Related Articles