Skip to Content
DocsConfigurationMetadata encryption

Metadata encryption

Encryption can be enabled to encrypt credentials and other sensitive data stored in the metadata repository. The following tables and columns are encrypted:

  • il_sources table: columns properties, co_properties - used to store source’s credentials
  • il_settings table: columns value - used to store InfoLink settings some of which (e.g. SSO settings) can contain credentials

NOTE: Credentials to access InfoLink (such as user passwords, API keys, client secrets) are stored hashed and thus do not need to be encrypted.

InfoLink uses the following encryption algorithm: AES/GCM/NoPadding with GCM_IV_LENGTH = 12 and GCM_TAG_LENGTH = 16. Encryption secret key generated by Infolink uses AES key generator with key size of 256.

To manage metadata encryption, go to the home page, click on Settings tab, scroll down to the Metadata Encryption section.

Enable encryption

  • On the file system where InfoLink is installed, create a configuration file that specifies a source where the encryption secret key is stored. The format of the file is described below.
  • Go to the home page, click on Settings tab, click on Encryption in the left menu.
  • Click on edit next to the Config field. Enter encryption configuration in JSON format as described below.
  • Click Enable button: it will load the secret key from the encryption configuration file and encrypt metadata. Do not reload the page until you see a confirmation message as you can miss an error message if any error happens.

Changing encryption configuration

WARNING: do not replace your encryption secret key if encryption is enabled because you will not be able to decrypt the encrypted data. If you want to replace the secret key, disable encryption, replace it, and enable encryption back.

You can edit the encryption configuration file and/or Config file path any time. For the changes to take effect, click Reload secrets button.

Encryption configuration file

Encryption configuration file specifies a source where the encryption secret key is stored. InfoLink supports the following sources:

  • Azure Key Vault - Key (Recommended)
  • Azure Key Vault - Secret (Deprecated)
  • File system (on the server where InfoLink is installed)

Azure Key Vault - Key (Recommended)

Go to Azure Key Vault, click on Keys, click Generate/Import and create a new key (keep the default parameters if you are not sure).

Enter the following JSON configuration by clicking edit located at: home page -> Settings tab -> Encryption menu item -> Config field. Notice that Infolink access Key Vault using the following authentication method: client id and client secret (aka authenticating a service principal (application) with a client secret).

{
   "sourceType": "AzureKeyVaultSource",
   "tenantId": "<your tenant id>",
   "clientId": "<your client (application) id>",
   "clientSecret": "<your client secret>",
   "keyVaultURI": "<your Key Vault URI, e.g. https://kv-padb.vault.azure.net/",
   "keyName": "<the name of the key in the Azure key vault that you created above>"
}

A few words on how this approach works for your understanding. In this approach the data encryption key (DEK) is generated automatically by InfoLink when you enable encryption. DEK is encrypted using the key (aka KEK -Key Encryption Key) you created in Azure Key Vault. The encrypted DEK is stored in the InfoLink metadata repository together with the version number of the KEK that was used. Thus, key rotation does not require re-encrypting the data: you generate a new version of the KEK in Azure Key Vault, InfoLink detects the new version and re-encrypts DEK with the new version of KEK without touching the data.

To rotate the encryption key:

  • In an InfoLink application, create a scenario with Maintain operation selecting rotateEncryptionKeyForMetadataRepository in the Command field: it will detect a new version of the key (KEK) in Azure Key Vault if available and re-encrypt the DEK with the new version of the Azure key. No parameters are required so leave the editor below the Command field blank. Schedule the created scenario for regular execution. When you create the schedule, select an admin user, which means that it must be created by an admin user.
  • Now you can go to Azure Key Vault and create a new version of the key: click on the key in Azure Key Vault to open it, click + New Version, leave the default parameters if not sure, click Create. The Maintain operation you scheduled above will detect the new version of KEK in Azure and re-encrypt the DEK.

Azure Key Vault - Secret (Deprecated)

Go to Azure Key Vault, click on Secrets, click Generate/Import, enter any name of the secret and copy your data encryption key (DEC) into the Secret value field. To generate DEK: InfoLink home page -> Settings tab -> Encryption menu item. Click on **Generate data encryption key (DEK)”.

Enter the following JSON configuration by clicking edit located at: InfoLink home page -> Settings tab -> Encryption menu item -> Config field. Notice that Infolink access Key Vault using the following authentication method: client id and client secret (aka authenticating a service principal (application) with a client secret).

{
   "sourceType": "AzureKeyVaultSource",
   "tenantId": "<your tenant id>",
   "clientId": "<your client (application) id>",
   "clientSecret": "<your client secret>",
   "keyVaultURI": "<your Key Vault URI, e.g. https://kv-padb.vault.azure.net/",
   "secretName": "<the name of the secret in the Azure key vault you created above>"
}

To rotate the key, disable encryption, generate new DEK as described above, save the generated DEK in the secret of Azure Key Vault, enable encryption. Notice that you have to disable and then enable back encryption, which are time-consuming operations. That is the main reason why this approach is deprecated.

File system

To store the data encryption key (DEK) on the file system where InfoLink is installed, use the following configuration. To generate DEK: InfoLink home page -> Settings tab -> Encryption menu item. Click on **Generate data encryption key (DEK)”

{
   "sourceType": "ServerFSSource",
   "secretKey":"<data encryption key you generated>"
}

To rotate the key, disable encryption, generate new DEK as described above, save the generated DEK in the configuration as described above, enable encryption.

Troubleshooting

When using Azure Key Vault, on enabling encryption, you can get Unable to find valid certification path to requested target message. The following steps can help to resolve the issue:

  • From link https://www.digicert.com/kb/digicert-root-certificates.htm , download the “DigiCert Global Root G2” by clicking the Download DER/CRT, then the DigiCertGlobalCAG2.crt file is saved in any of your folder like “C:/Certificates/DigiCertGlobalRootG2.crt”
  • Open a cmd window as admin user, go to <path to jdk>/jre/bin, run the following command (make sure to adjust your path if Enterworks is installed on D drive). If you are using Infolink with Enterworks, <path to jdk> is usually C:/Enterworks/jdk. 
    keytool -trustcacerts -keystore "<path to jdk>/jre/lib/security/cacerts" -storepass changeit -importcert -alias youralias -file "C:/Certificates/DigiCertGlobalRootG2.crt"
Last updated on
ImpersonationSingle Sign-On (SSO)