The content files stored by the Nuxeo Platform, also known as blobs or binaries, are stored using the Blob Provider abstraction, as described in the File Storage page. There are several ways to configure encryption depending on your choice of Blob Provider.
It's possible to use a Blob Provider that encrypts files using AES. Two modes are possible:
- A fixed AES key retrieved from a Java KeyStore
- An AES key derived from a human-readable password using the industry-standard PBKDF2 mechanism (in which case each encrypted file contains a different salt for security reasons).
You choose the mode and the parameters by providing the
key= configuration options in the
<binaryManager class="" key="..."> of the repository configuration.
The configuration has the form
key1=value1,key2=value2,... where the possible keys are, for Java KeyStore use:
- keyStoreType: the keystore type, for instance
- keyStoreFile: the path to the keystore, if applicable
- keyStorePassword: the keystore password
- keyAlias: the alias (name) of the key in the keystore
- keyPassword: the key password
And for PBKDF2 use:
- password: the password
The Blob Provider and its options can be set through
nuxeo.core.binarymanager=org.nuxeo.ecm.core.blob.binary.AESBinaryManager nuxeo.core.binarymanager_key=keyStoreType=JCEKS,keyStoreFile=/etc/keystore.jceks,keyStorePassword=changeit,keyAlias=mykey,keyPassword=changeittoo #or nuxeo.core.binarymanager_key=password=mypassword
By default Azul Java ships with a Java Cryptographic Extension (JCE) module configured for 128-bit maximum key length, whereas the Nuxeo Platform needs at least 256-bit keys for adequate security of AES.
To overcome this limitation, you must install an optional downloadable component coming with the JDK. Go to Zulu Cryptography Extensions Kit and download and install the Zulu Cryptography Extension Kit - Unlimited Strength Jurisdiction Policy Files (see the README.txt file inside the downloaded ZIP for installation instructions).
If you do not do this, you will get an exception
java.security.InvalidKeyException: Illegal key size or default parameters when encrypting or decrypting a file.
The configuration is described in Amazon S3 Online Storage.