
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hi,</p>

    <p>this might be interesting for you:

<a class="moz-txt-link-freetext" href="https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/">https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/</a></p>

    <p>It is possible to migrate to a new encryption key by creating a

      new key and re-encrypting all encrypted information. The

      documentation above describes the possible way. It would probably

      require further configuration for partitioning the task to run

      with multiple threads/on multiple nodes for production.</p>

    <p>This page contains information about adding encryption keys:

      <a class="moz-txt-link-freetext" href="https://docs.evolveum.com/midpoint/reference/security/crypto/">https://docs.evolveum.com/midpoint/reference/security/crypto/</a><br>

    </p>

    <p><br>

    </p>

    <p>The following information is encrypted by default:</p>

    <p>- passwords (including User passwords and passwords stored in

      Resources)<br>

    </p>

    <p>The following information is hashed by default:</p>

    <p>- password history (if enabled)</p>

    <p>Password for administrator is stored right in the administrator

      object.</p>

    <p>E.g.</p>

    <p>    <credentials><br>

              <password><br>

                  <lastSuccessfulLogin><br>

                     

      <timestamp>2021-05-27T16:23:02.651+02:00</timestamp><br>

                      <from>0:0:0:0:0:0:0:1</from><br>

                  </lastSuccessfulLogin><br>

                  <previousSuccessfulLogin><br>

                     

      <timestamp>2021-05-27T15:49:30.171+02:00</timestamp><br>

                      <from>0:0:0:0:0:0:0:1</from><br>

                  </previousSuccessfulLogin><br>

                  <metadata><br>

                     

<createTimestamp>2018-10-10T12:27:00.526+02:00</createTimestamp><br>

                     

<createChannel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</a></createChannel><br>

                  </metadata><br>

                  <value><br>

                      <font color="#2042f7"><t:encryptedData><br>

                            <t:encryptionMethod><br>

                               

<t:algorithm><a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmlenc#aes128-cbc">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a></t:algorithm><br>

                            </t:encryptionMethod><br>

                            <t:keyInfo><br>

                               

        <t:keyName>4HXeUejV93Vd3JuIZz7sbs5bVko=</t:keyName><br>

                            </t:keyInfo><br>

                            <t:cipherData><br>

                               

<t:cipherValue>abcd6a/jabcdjj/TUabcdy473T+hC5abcdikxJ/eyDA=</t:cipherValue><br>

                            </t:cipherData><br>

                        </t:encryptedData></font><br>

                  </value><br>

              </password><br>

          </credentials></p>

    <p>Above you can see the encryption method of the key (AES128-CBC),

      keyName refers to the key from keystore (I don't have an idea how

      exactly this ID is derived from key alias name) and tie

      cipherValue is the encrypted password.</p>

    <p>So for each password there is also information about key which

      was used for it, so that it can be decrypted again.</p>

    <p>In case of hashed passwords the information will be similar, but

      the hash algorithm would be indicated and the password would be

      obviously hashed and not decryptable.</p>

    <p>As for the migration between environments... this looks much more

      interesting. Obviously if you export data from one environment,

      you would need to also have the same encryption key. At least for

      re-encryption using the task above.<br>

    </p>

    <p>Hope this helps.</p>

    <p>Best regards,</p>

    <p>Ivan<br>

    </p>

    <div class="moz-cite-prefix">On 27. 5. 2021 16:08, Wang, Xiaoshu via

      midPoint wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:BL0PR03MB42439E20F1470C0A66E3AE939C239@BL0PR03MB4243.namprd03.prod.outlook.com">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      <meta name="Generator" content="Microsoft Word 15 (filtered

        medium)">

      <style>@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face

        {font-family:DengXian;

        panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face

        {font-family:"\@DengXian";

        panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:12.0pt;

        font-family:"Calibri",sans-serif;}span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:windowtext;}.MsoChpDefault

        {mso-style-type:export-only;

        font-size:12.0pt;

        font-family:"Calibri",sans-serif;}div.WordSection1

        {page:WordSection1;}</style>

      <div class="WordSection1">

        <p class="MsoNormal"><span style="font-size:14.0pt">Hi, I have a

            few curious question.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt">My

            understanding is that many infos in the repository database

            is encrypted by the default key in the keystore.jceks of the

            midpoint.home directory. I wonder if it is possible to

            change the key.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt">The reason I

            ask this question is to imagine the scenario, say, the

            keystore is somehow compromised or if our school’s policy

            requires us to change the key once in a while, I wonder if

            it is possible to change the key without having to start it

            all over again.<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt">In addition,

            I wonder what info are encrypted by the key and where they

            are stored. For instance, I couldn’t figure out where the

            password (or its hash, encrypted form etc.,) for the

            administrator is stored. The reason that I ask this is I am

            trying to create a new environment, but the DB admin copied

            from another environment, so I am forced to use the previous

            keystore. I would like to use different key for different

            environment….<o:p></o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>

        <p class="MsoNormal"><span style="font-size:14.0pt">Xiaoshu Wang

             <o:p></o:p></span></p>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <pre class="moz-signature" cols="72">-- 

Ivan Noris

Senior Identity Engineer

evolveum.com

</pre>

  </body>

</html>