Server

Implementing Encryption

Updated: December 19, 2024

Binaries Encryption

The content files stored by the Nuxeo Platform, also known as blobs or binaries, are stored using the Blob Provider abstraction, as described in the File Storage page. There are several ways to configure encryption depending on your choice of Blob Provider.

Filesystem AES Encryption

It's possible to use a Blob Provider that encrypts files using AES. Two modes are possible:

  • A fixed AES key retrieved from a Java KeyStore
  • An AES key derived from a human-readable password using the industry-standard PBKDF2 mechanism (in which case each encrypted file contains a different salt for security reasons).

You choose the mode and the parameters by providing the key= configuration options in the <binaryManager class="" key="..."> of the repository configuration.

The configuration has the form key1=value1,key2=value2,... where the possible keys are, for Java KeyStore use:

  • keyStoreType: the keystore type, for instance JCEKS
  • keyStoreFile: the path to the keystore, if applicable
  • keyStorePassword: the keystore password
  • keyAlias: the alias (name) of the key in the keystore
  • keyPassword: the key password

And for PBKDF2 use:

  • password: the password

The Blob Provider and its options can be set through nuxeo.conf:

nuxeo.core.binarymanager=org.nuxeo.ecm.core.blob.AESBlobProvider
nuxeo.core.binarymanager_key=keyStoreType=JCEKS,keyStoreFile=/etc/keystore.jceks,keyStorePassword=changeit,keyAlias=mykey,keyPassword=changeittoo
#or
nuxeo.core.binarymanager_key=password=mypassword

Alternatively, you can override the default blob provider definition with the following XML contribution:

<component name="org.nuxeo.ecm.core.blob.aes.digest" version="1.0.0">
  <require>default-repository-config</require>
  <extension target="org.nuxeo.ecm.core.blob.BlobManager" point="configuration">
    <blobprovider name="default">
      <class>org.nuxeo.ecm.core.blob.AESBlobProvider</class>
      <property name="path">encrypted_data</property>
      <property name="keyStoreType">JCEKS</property>
      <property name="keyStoreFile">${test.keystore.file}</property>
      <property name="keyStorePassword">keystoresecret</property>
      <property name="keyAlias">myaeskey</property>
      <property name="keyPassword">keysecret</property>
    </blobprovider>
  </extension>

Encryption Algorithm
Before Nuxeo 10.3, the encryption used was based on AES/CBC/PKCS5Padding which has been found to be insecure (susceptible to padding oracle attacks). Starting with Nuxeo 10.3, a more secure encryption algorithm, AES/GCM/NoPadding, is used. If you're migrating data from an earlier version and therefore still need to use the old insecure encryption algorithm, you must add the option useInsecureCipher=true to the nuxeo.core.binarymanager_key in nuxeo.conf.

Java Cryptographic Extension

By default Azul Java ships with a Java Cryptographic Extension (JCE) module configured for 128-bit maximum key length, whereas the Nuxeo Platform needs at least 256-bit keys for adequate security of AES.

To overcome this limitation, you must install an optional downloadable component coming with the JDK. Go to Zulu Cryptography Extensions Kit and download and install the Zulu Cryptography Extension Kit - Unlimited Strength Jurisdiction Policy Files (see the README.txt file inside the downloaded ZIP for installation instructions).

If you do not do this, you will get an exception java.security.InvalidKeyException: Illegal key size or default parameters when encrypting or decrypting a file.

S3 Encryption

The configuration is described in Amazon S3 Online Storage.