×
We value your feedback! Please click here to access our 2024 Client Survey.
The survey will remain open until November 1st. Your perspective will help guide our product/service planning and goals for the upcoming year and beyond!

Default Encryption Key?

LabKey Support Forum
Default Encryption Key? Ben Bimber  2014-01-15 07:22
Status: Closed
 
Hi everyone,

I recently upgraded our production server to 13.3. I did not catch the defaultEncryptionKey setting in the tomcat config prior to doing this. Are there consequences to changing that key on a server that's been running for a period of time?

Thanks.
 
 
adam responded:  2014-01-15 08:34
In short, changing your MasterEncryptionKey shouldn't be a problem.

The MasterEncryptionKey is used in only a couple places in 13.3 (cloud storage configuration and remote ETL configurations), where actual passwords must be stored in the database. If you haven't used these features, you haven't encrypted any data.

In addition, if the value is blank or set to the default ("@@masterEncryptionKey@@"), then our encryption code will throw a configuration exception, requiring an administrator to provide an appropriate key.

Once you set the MasterEncryptionKey and encrypt values by configuring the services that use it, subsequently changing the key will be a problem... existing values will be irretrievable.

More details here: https://www.labkey.org/wiki/home/Documentation/page.view?name=cpasxml

Adam
 
Ben Bimber responded:  2014-01-15 10:41
thanks. this seems like a useful feature. i have more recently been using ROOT.xml to store credentials (like LDAP sync); however, I will probably convert our ETLs to use this since they store JDBC strings.
 
adam responded:  2014-01-15 10:55
Yes, we considered just adding the remote ETL credentials into labkey/root.xml. This would have been easier, but with additional configurations likely, the admin inconvenience of forcing server restart on every edit plus the global nature of labkey.xml settings (no built-in scoping for user/container) made us lean in favor of building a general purpose encrypted property store.

PropertyManager.getEncryptedStore()

Adam