Skip to main content

Encrypt database stored passwords.

rules
  • Updated

Overview.

This feature is available on IriusRisk version >= 2.1.3.

To integrate with external issue trackers and testing tools IriusRisk needs to use authentication credentials in the form of a username and password. The passwords are stored in IriusRisk's database. There is a feature that can be enabled to encrypt these passwords so they are not stored in plain text within the database. 

The encryption algorithm used is AES-128 with a 16 bytes key provided in base64 encoding.  

Encrypting the passwords.

To enable the encryption feature IriusRisk, define the following environment variable:

ENCRYPTION_KEY=base64_encoded_key

As mentioned above, the key must be 16 bytes in length and encoded with base64. 

docker-compose

If you are using our standard docker-compose deployment you can define the variable as follows: 

...
tomcat:
 environment:
   ...
   - ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA== 
 ...

tomcat

If you're using a native Tomcat installation you can edit the the CATALINA_BASE/bin/setenv.{bat,sh} script to set the variable: 

Linux

export ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA== 

Windows:

set ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA== 

OR

[root@yoursite conf]# tail /opt/tomcat/conf/catalina.properties
# IriusRisk configurations 
IRIUS_DB_URL=jdbc\:postgresql\://127.0.0.1\:5432/iriusriskdemo?user\=iriusriskDemo&password\=defaultIriusRiskPa33word 
IRIUS_EDITION=saas 
IRIUS_EXT_URL=https\://yoursite.iriusrisk.com 
grails.env=production 
IRIUS_JWT_PRIVATE_KEY_PATH=/opt/iriusrisk/latest/conf/ec_private.pem 
ENCRYPTION_KEY=YWJjZGVmMTIzNDU2Nzg5MAo=

Changing the encryption password

If you need to change the encryption key of an already encrypted database, you can do so by specifying the current encryption key (that was used to encrypt the database passwords) and the new key to use: 

 ENCRYPTION_KEY_TO_REPLACE=oldkeyin_base64

On our docker-compose based deployment, it would be: 

[...]
tomcat:
 environment:
 [...] 
 - ENCRYPTION_KEY_TO_REPLACE=b2xka2V5dG9yZXBsYWNl
 - ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA==

Verifying that passwords are encrypted

To make sure the passwords are being encrypted you can directly connect to the database. There is a setting in the setting table that indicates the passwords are encrypted:

Selection_237.png

And you can also check the passwords themselves:  

Selection_238.png 

 

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk