While enabling feature to encrypt database stored passwords. Please note
the encryption algorithm used isAES-128 with a 16 bytes key provided in base64 encoding.
issue
In this case, we base64 encoded a 16 bytes key
✗ echo abcdef1234567890 | base64
YWJjZGVmMTIzNDU2Nzg5MAo=
but we can see the feature is not enabled as expected.
# select value from setting where name='features.encryption.enabled';
value
-------
false
(1 row)
error log
By checking logs, there should be some error regarding incorrect key.
2023-01-30 10:32:16.366 43563 [quartzScheduler_Worker-5] ERROR com.iriusrisk.services.job.setting.SettingJobService - ....................................................................................... 2023-01-30 10:32:16.366 43563 [quartzScheduler_Worker-5] ERROR com.iriusrisk.services.job.setting.SettingJobService - Encryption key is not valid. 2023-01-30 10:32:16.366 43563 [quartzScheduler_Worker-5] ERROR com.iriusrisk.services.job.setting.SettingJobService - The key must be 16 bytes in length and encoded with base64. 2023-01-30 10:32:16.366 43563 [quartzScheduler_Worker-5] ERROR com.iriusrisk.services.job.setting.SettingJobService - You will find more details here https://support.iriusrisk.com/hc/en-us/articles/360031165271-Encrypt-database-stored-passwords-
check key length
If we do base64 with "echo"
✗ echo YWJjZGVmMTIzNDU2Nzg5MAo=|base64 -d|hexdump -C
00000000 61 62 63 64 65 66 31 32 33 34 35 36 37 38 39 30 |abcdef1234567890|
00000010 0a |.|
00000011
it actually generated a 17 bytes long key including an extra "\n".
fix
Re-generate a 16 bytes key, then the feature is enabled now.
# select value from setting where name='features.encryption.enabled';
value
-------
true
(1 row)
Comments
0 comments
Please sign in to leave a comment.