Installation and Administration

Implementing Encryption

Updated: July 17, 2023

Binaries Encryption

The content files stored by the Nuxeo Platform, also known as binaries, are stored using the BinaryManager abstraction, as described in the Binary Store documentation. There are several ways to configure encryption depending on your choice of BinaryManager.

Filesystem AES Encryption

Since Nuxeo Platform 6.0, it's possible to use a BinaryManager that encrypts files using AES. Two modes are possible:

  • A fixed AES key retrieved from a Java KeyStore
  • An AES key derived from a human-readable password using the industry-standard PBKDF2 mechanism (in which case each encrypted file contains a different salt for security reasons).

You choose the mode and the parameters by providing the key= configuration options in the <binaryManager class="" key="..."> of the repository configuration.

The configuration has the form key1=value1,key2=value2,... where the possible keys are, for Java KeyStore use:

  • keyStoreType: the keystore type, for instance JCEKS
  • keyStoreFile: the path to the keystore, if applicable
  • keyStorePassword: the keystore password
  • keyAlias: the alias (name) of the key in the keystore
  • keyPassword: the key password

And for PBKDF2 use:

  • password: the password

The binary manager and options can be set through nuxeo.conf:

nuxeo.core.binarymanager=org.nuxeo.ecm.core.blob.binary.AESBinaryManager
nuxeo.core.binarymanager_key=keyStoreType=JCEKS,keyStoreFile=/etc/keystore.jceks,keyStorePassword=changeit,keyAlias=mykey,keyPassword=changeittoo
#or
nuxeo.core.binarymanager_key=password=mypassword

By default Java ships with a Java Cryptographic Extension (JCE) module configured for 128-bit maximum key length, whereas the Nuxeo Platform needs at least 256-bit keys for adequate security of AES. The Nuxeo code attempts to work around these restrictions automatically to force the JCE to allow unlimited key length.

If it cannot force it, you will get an exception java.security.InvalidKeyException: Illegal key size or default parameters when encrypting or decrypting a file. In that case, you must go to Oracle Java SE Downloads and download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JDK (see the README.txt file inside the downloaded ZIP for installation instructions).

## S3 Encryption The configuration is described in Amazon S3 Online Storage.