Key storeYour data in the encrypted database is only as secure as your keys. Someone getting your keys can access all your data. Therefore your keys require protection. First of all, the keys are always stored far away from your database, i.e. never at the cloud service provider. Where exactly you keep your keys is your decision. Cumulus4j provides various possibilities:
Take a look at the Deployment scenarios to get a better understanding of this. Protection by encryptionThe keys in your key store are encrypted and thus protected even if you loose your classic key ring with your key store being on a USB thumb drive. Only those people having a user-name and password to your key store can access your keys. By default, the key store uses very strong encryption: Twofish with 256 bit keys and GCM to protect it against data manipulation or corruption. Note: You need a backup, as GCM does only detect manipulation/corruption and is not able to magically repair it! But you need a backup, anyway, because you might loose your key store due to a broken hard disk, a lost thumb drive or other reasons. Key sizeBy default, keys have a length of 256 bit. But it is possible to specify a different key length (needs to be specified during initialisation!). Important: The key store determines, which key size is used to encrypt your database! Date-dependent key-strategyKeys are rotated from time to time. By default, one key is valid for one day, but you can choose otherwise if you want to. See Date-dependent key-strategy for further details. InitialisationBefore you can use a key-store, you have to initialise it. Initialisation comprises creation of at least one user and all keys. Currently, the only strategy supported is the 'Date-dependent key-strategy', hence the initialisation works via this strategy. The easiest way to perform an initialisation is the CLI (command line interface). You need to download org.cumulus4j.keymanager.cli-1.2.0-SNAPSHOT.jar and then use the initDateDependentKeyStrategy sub-command like this: java -jar org.cumulus4j.keymanager.cli-1.2.0-SNAPSHOT.jar initDateDependentKeyStrategy -keyStoreID MY-KEY-STORE -userName USER1 There are quite a few options available and you might want to use the following command to learn more about this command: java -jar org.cumulus4j.keymanager.cli-1.2.0-SNAPSHOT.jar help initDateDependentKeyStrategy ModulesThe following modules are related to the key-store and you might want to continue reading these documents: org.cumulus4j.keystore - the actual key-store. org.cumulus4j.keymanager.api - API to access a key-store (locally or on a remote key-server). org.cumulus4j.keymanager.cli - Command line interface to work with a key-store (locally or on a remote key-server). |
Documentation
AboutProject DocumentationBabelReleases |