WildFly Password Vault: Difference between revisions
| Line 20: | Line 20: | ||
keytool -genseckey -alias <vault-alias> \ | keytool -genseckey -alias <vault-alias> \ | ||
-storetype jceks -keyalg AES -keysize 128 \ | -storetype jceks -keyalg AES -keysize 128 \ | ||
-storepass <same-password-from-store-and-key> -keypass <same-password-from-store-and-key> \ | -storepass <same-password-from-store-and-key> \ | ||
-keypass <same-password-from-store-and-key> \ | |||
-validity 730 -keystore $JBOSS_HOME/vault/vault.keystore | -validity 730 -keystore $JBOSS_HOME/vault/vault.keystore | ||
</pre> | </pre> | ||
Revision as of 23:57, 14 March 2017
Internal
Overview
The password vault is a mechanism to store locally passwords and other security-sensitive information, in an encrypted format, and decrypt them at only when they're needed, at runtime, in memory. Such information can referred from CLI commands or applications deployed in JBoss EAP.
The implementation of the JBoss password vault is based on a Java keystore. The keystore is used to store the encryption key itself, and then the secret content itself.
The rest of the article describes how to initialize, declare and deploy a vault, how to store information into the vault and how to retrieve it from the vault.
Procedures
Vault Setup
Conventionally, the keystore backing the vault is store in $JBOSS_HOME/vault, and we will use this value in this article. Since this directory will contain sensitive information it should be accessible to only limited users. At a minimum the user account under which JBoss EAP is running requires read-write access.
keytool -genseckey -alias <vault-alias> \ -storetype jceks -keyalg AES -keysize 128 \ -storepass <same-password-from-store-and-key> \ -keypass <same-password-from-store-and-key> \ -validity 730 -keystore $JBOSS_HOME/vault/vault.keystore