The content files stored by the Nuxeo Platform, also known as binaries, are stored using the
BinaryManager abstraction, as described in the Binary Store documentation. There are several ways to configure encryption depending on your choice of
Since Nuxeo Platform 6.0, it's possible to use a
BinaryManager that encrypts files using AES. Two modes are possible:
- A fixed AES key retrieved from a Java KeyStore
- An AES key derived from a human-readable password using the industry-standard PBKDF2 mechanism (in which case each encrypted file contains a different salt for security reasons).
You choose the mode and the parameters by providing the
key= configuration options in the
<binaryManager class="" key="..."> of the repository configuration.
The configuration has the form
key1=value1,key2=value2,... where the possible keys are, for Java KeyStore use:
- keyStoreType: the keystore type, for instance
- keyStoreFile: the path to the keystore, if applicable
- keyStorePassword: the keystore password
- keyAlias: the alias (name) of the key in the keystore
- keyPassword: the key password
And for PBKDF2 use:
- password: the password
The binary manager and options can be set through
nuxeo.core.binarymanager=org.nuxeo.ecm.core.blob.binary.AESBinaryManager nuxeo.core.binarymanager_key=keyStoreType=JCEKS,keyStoreFile=/etc/keystore.jceks,keyStorePassword=changeit,keyAlias=mykey,keyPassword=changeittoo #or nuxeo.core.binarymanager_key=password=mypassword
By default Java ships with a Java Cryptographic Extension (JCE) module configured for 128-bit maximum key length, whereas the Nuxeo Platform needs at least 256-bit keys for adequate security of AES. The Nuxeo code attempts to work around these restrictions automatically to force the JCE to allow unlimited key length.
If it cannot force it, you will get an exception
java.security.InvalidKeyException: Illegal key size or default parameters when encrypting or decrypting a file. In that case, you must go to Oracle Java SE Downloads and download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JDK (see the README.txt file inside the downloaded ZIP for installation instructions).
## S3 Encryption
The configuration is described in Amazon S3 Online Storage.