Frequently Asked Questions about Server Encryption Keys

Read the following sections for answers to frequently asked questions about server encryption key source, location, maintenance, and use.

Where do server encryption keys come from?

Server encryption keys are symmetric, triple-DES 168-bit keys.

There are two types of keys supported by the server:

• Default key. This key is compiled into the server code.

• Randomly generated key. This key can be generated at initial server startup, or any time the security of the current key is in question.

Where are server encryption keys maintained?

Server encryption keys are objects maintained in the repository. There can be many data encryption keys in any given repository.

How does the server know which key to use for decryption and re-encryption of encrypted data?

Each piece of encrypted data stored in the repository is prefixed by the ID of the server encryption key that was used to encrypt it. When an object containing encrypted data is read into memory, Identity Manager uses the server encryption key associated with the ID prefix on the encrypted data to decrypt, and then re-encrypt with the same key if the data changed.

How do I update server encryption keys?

Identity Manager provides a task called Manage Server Encryption.

This task allows an authorized security administrator to perform several key management tasks, including:

• Generating a new “current” server key

• Re-encrypting existing objects, by type, containing encrypted data with the “current” server key

See Managing Server Encryption in this chapter for more information about how to use this task.

What happens to existing encrypted data if the “current” server key is changed?

Nothing. Existing encrypted data will still be decrypted or re-encrypted with the key referenced by the ID prefix on the encrypted data. If a new server encryption key is generated and set to be the “current” key, any new data to be encrypted will use the new server key.

To avoid multi-key issues, as well as to maintain a higher level of data integrity, use the Manage Server Encryption task to re-encrypt all existing encrypted data with the “current” server encryption key.

What happens when you import encrypted data for which an encryption key is not available?

If you import an object that contains encrypted data, but that data was encrypted with a key that is not in the repository into which it is being imported, then the data will be imported, but not decrypted.

How are server keys protected?

If the server is not configured to use password-based encryption (PBE) - PKCS#5 encryption (set in the System Configuration object using the pbeEncrypt attribute or the Manage Server Encryption task), then the default key is used to encrypt the server keys. The default key is the same for all Identity Manager installations.

If the server is configured to use PBE encryption, then a PBE key is generated each time the server is started. The PBE key is generated by providing a password, generated from a server-specific secret, to the PBEwithMD5andDES cipher. The PBE key is maintained only in memory and never persisted. In addition, the PBE key is the same for all servers sharing a common repository.

To enable PBE encryption of server keys, the cipher PBEwithMD5andDES must be available. Identity Manager does not package this cipher by default, but it is a PKCS#5 standard that is available in many JCE providers implementations, such as those provided by Sun and IBM.

Can I export the server keys for safe external storage?

Yes. If the server keys are PBE encrypted, then before they are exported, they will be decrypted and re-encrypted with the default key. This allows them to be imported to the same or another server at a later date, independent of the local server PBE key. If the server keys are encrypted with the default key, then no preprocessing is done before they are exported.

When they are imported into a server, if the server is configured for PBE keys, the keys will be decrypted and then re-encrypted with the local server’s PBE key, if that server is configured for PBE key encryption.

What data is encrypted between the server and gateway?

All data (payload) transmitted between the server and gateway is triple-DES encrypted with a randomly generated, per server-gateway session symmetric 168 bit key.