Encryption types
You can specify the encryption type used by a Deployment Automation server, agent, or agent relay. The encryption setting is used to protect secured values.
Supported encryption types
Deployment Automation supports the following encryption types:
- LEGACY (uses the legacy method to encrypt data)
- AES256
- RSA
Encryption keys
External encryption and decryption keys are provided by the user or generated automatically when a server starts. The enc-keys directory is created and stores the keys.
Each key is stored with a file name using this pattern:
Pattern | Description |
---|---|
<encryption type>-<key index>-E |
Stores the encryption key. |
<encryption type>-<key index>-D
|
Stores the decryption key. |
<encryption type>-<key index>
|
Used as a fallback if no files with the above names are found (used when a –E or –D key with the corresponding index cannot be found). |
Encryption guidelines:
- If there are no files in the enc-keys directory when a server, agent relay, or agent is started, random keys are stored for the encryption type.
- The key index can contain one character only.
- If a key is not found or an error occurs during encryption or decryption, the default hard-coded key is used.
- The ‘!’ symbol is reserved for the default key index.
- Data is always encrypted using the latest key (the key with the biggest index).
- All keys are reloaded when a server restarts.
- Encrypted data contains the index of the encryption key. The corresponding decryption key should have the same index and be present in the profile.
Server encryption
The following guidelines apply to server encryption:
- Default encryption type: AES256
- To set the server encryption type, edit the systemConfig/encryptionAlgorithm property in the da_config.xml file .
- RSA is not supported and needs 'length' database fields that contain encrypted values to be increased.
- The enc-keys directory is created in the following location: <profile_location>/conf/server
- Data that is encrypted in the database is not re-encrypted during a server upgrade or after the encryption algorithm property changes. If the property changes, secure properties in the installed.properties file are re-encrypted when the server starts.
Agent encryption
The following guidelines apply to agent encryption:
- Default encryption type: LEGACY
- To set the agent encryption type, edit the locked/agent.strict.encryption.type property in the agent.properties file.
- Non-default encryption is not compatible with old plugins, however the default is less secure.
- The enc-keys directory is created in the following location: <agent_location>/conf/agent
- If the encryption type property is changed, secure properties in the agent.properties file are re-encrypted when the agent starts.
Agent relay encryption
The following guidelines apply to agent relay encryption:
- Default encryption type: AES256
- To set the agent relay encryption type, edit the agentrelay.encryption.type property in the agentrelay.properties file.
- The enc-keys directory is created in the following location: <agent_relay_location>/conf
- If the encryption type property is changed, secure properties in the agentrelay.properties file are re-encrypted when the agent relay starts.
See also: