Security Server Encryption tab

Engine encryption provides a set of encryption/decryption APIs for all Cloverleaf applications.

Some administrator files, configuration files, and message data could contain sensitive data and can be encrypted. For example:

  • Alert
  • Database connection
  • Global variable
  • Lookup table
  • NetConfig
  • hssecurity.ini
  • security.ini
  • Error database
  • SMAT database
  • Raima

Support is provided for encryption of Cloverleaf configuration files and stored messages, through a default key and user-defined keys.

The engine encrypts data with the current public key. It decrypts data with the private key corresponding to the public key which is used for the original encryption.

The default public/private key is installed during installation. Users can override these default keys with user-specified keys.

User-specified public/private keys for administrative, configuration, and message data are configured using the Encryption tab.

Engine encryption validates the specified public/private key file. If validation is successful, then it checks if it is already registered in the SQLite database; if not, then it inserts an entry into the SQLite database.

Engine encryption keeps a history of public/private keys in a SQLite database, and can resolve the private key for the public key.

For migration, engine encryption supports importing keys from another SQLite database.

The server always encrypts the administration files and configuration files. The encryption of message data can be toggled on/off.

No attempt is made to encrypt or decrypt existing data. Existing objects are encrypted/unencrypted.

For example, when encryption of the SMAT database, error database, or internal Raima database is enabled, a password is required to protect the corresponding database. This password is encrypted.