Overview.
This feature is available on IriusRisk version >= 2.1.3.
To integrate with external issue trackers and testing tools IriusRisk needs to use authentication credentials in the form of a username and password. The passwords are stored in IriusRisk's database. There is a feature that can be enabled to encrypt these passwords so they are not stored in plain text within the database.
The encryption algorithm used is AES-128 with a 16 bytes key provided in base64 encoding.
Encrypting the passwords.
To enable the encryption feature IriusRisk, define the following environment variable:
ENCRYPTION_KEY=base64_encoded_key
As mentioned above, the key must be 16 bytes in length and encoded with base64.
docker-compose
If you are using our standard docker-compose deployment you can define the variable as follows:
...
tomcat:
environment:
...
- ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA==
...
tomcat
If you're using a native Tomcat installation you can edit the the CATALINA_BASE/bin/setenv.{bat,sh} script to set the variable:
Linux
export ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA==
Windows:
set ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA==
OR
[root@yoursite conf]# tail /opt/tomcat/conf/catalina.properties
# IriusRisk configurations
IRIUS_DB_URL=jdbc\:postgresql\://127.0.0.1\:5432/iriusriskdemo?user\=iriusriskDemo&password\=defaultIriusRiskPa33word
IRIUS_EDITION=saas
IRIUS_EXT_URL=https\://yoursite.iriusrisk.com
grails.env=production
IRIUS_JWT_PRIVATE_KEY_PATH=/opt/iriusrisk/latest/conf/ec_private.pem
ENCRYPTION_KEY=YWJjZGVmMTIzNDU2Nzg5MAo=
Changing the encryption password
If you need to change the encryption key of an already encrypted database, you can do so by specifying the current encryption key (that was used to encrypt the database passwords) and the new key to use:
ENCRYPTION_KEY_TO_REPLACE=oldkeyin_base64
On our docker-compose based deployment, it would be:
[...]
tomcat:
environment:
[...]
- ENCRYPTION_KEY_TO_REPLACE=b2xka2V5dG9yZXBsYWNl
- ENCRYPTION_KEY=cGFzc3dvcmR0b2VuY3J5dA==
Verifying that passwords are encrypted
To make sure the passwords are being encrypted you can directly connect to the database. There is a setting in the setting table that indicates the passwords are encrypted:
And you can also check the passwords themselves:
Comments
0 comments
Article is closed for comments.