Nuxeo Server

Implementing Encryption

Updated: March 18, 2024

Binaries Encryption

The content files stored by the Nuxeo Platform, also known as blobs or binaries, are stored using the Blob Provider abstraction, as described in the File Storage page. There are several ways to configure encryption depending on your choice of Blob Provider.

Filesystem AES Encryption

It's possible to use a Blob Provider that encrypts files using AES. Two modes are possible:

  • A fixed AES key retrieved from a Java KeyStore
  • An AES key derived from a human-readable password using the industry-standard PBKDF2 mechanism (in which case each encrypted file contains a different salt for security reasons).

You choose the mode and the parameters by providing the key= configuration options in the <binaryManager class="" key="..."> of the repository configuration.

The configuration has the form key1=value1,key2=value2,... where the possible keys are, for Java KeyStore use:

  • keyStoreType: the keystore type, for instance JCEKS
  • keyStoreFile: the path to the keystore, if applicable
  • keyStorePassword: the keystore password
  • keyAlias: the alias (name) of the key in the keystore
  • keyPassword: the key password

And for PBKDF2 use:

  • password: the password

The Blob Provider and its options can be set through nuxeo.conf:

nuxeo.core.binarymanager=org.nuxeo.ecm.core.blob.binary.AESBinaryManager
nuxeo.core.binarymanager_key=keyStoreType=JCEKS,keyStoreFile=/etc/keystore.jceks,keyStorePassword=changeit,keyAlias=mykey,keyPassword=changeittoo
#or
nuxeo.core.binarymanager_key=password=mypassword

Java Cryptographic Extension

By default Oracle Java ships with a Java Cryptographic Extension (JCE) module configured for 128-bit maximum key length, whereas the Nuxeo Platform needs at least 256-bit keys for adequate security of AES.

To overcome this limitation, you must install an optional downloadable component coming with the JDK. Go to Oracle Java SE Downloads and download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JDK (see the README.txt file inside the downloaded ZIP for installation instructions).

If you do not do this, you will get an exception java.security.InvalidKeyException: Illegal key size or default parameters when encrypting or decrypting a file.

S3 Encryption

The configuration is described in Amazon S3 Online Storage.