AES Encryption Provider
What's Covered
Creating an AES Encryption Provider
Configuring the Default Encryption Provider
Overview
The AES Encryption Provider provides strong, FIPS-compliant encryption for passwords stored in the AMS database.
Creating an AES Encryption Provider
To use the AES Encryption Provider you must create an instance (or import one) and then set it as the default encryption provider.
Follow these steps to create a new AES Encryption Provider:
- Open the Configuration tab in the Arellia Security Manager console.
- In the Configuration tree navigate to Settings > Configuration > Service Providers > Encryption Providers.
- Right-click on Encryption Providers and select New > AES Encryption Provider.
- Name your provider and click OK to create it.
Configuring the Default Encryption Provider
Once your encryption provider has been used to store passwords you should not delete or change the provider. Doing so will prevent AMS from recovering anything encrypted by the provider. Instead of deleting or changing you should create a new provider and configure it as default.
Follow these steps to set your provider as the default:
- Open the Configuration tab in the Arellia Security Manager console.
- In the Configuration tree navigate to Settings > Configuration > Infrastructure > Configuration Settings.
- On the right under Product select Arellia Management Server.
- Click Select... next to Encryption Provider and choose your provider.
- Click the Save button to save your settings.
Using a Custom Key
You can use a custom password or passphrase to generate a key that your AES encryption provider will use to encrypt stored passwords.
Once your encryption provider has been used to store passwords you should not delete or change the provider. Doing so will prevent AMS from recovering anything encrypted by the provider. Instead of deleting or changing you should create a new provider and configure it as default.
Follow these steps set a custom passphrase for your provider:
- Open the Configuration tab in the Arellia Security Manager console.
- In the Configuration tree navigate to Settings > Configuration Service > Providers > Encryption Providers.
- In the tree right click your provider and select View as XML.
- In the pop-up XML view click the Edit button.
- Under the AESEncryptionProviderContract XML node remove the nodes DeriveFromEncryptionProviderId and DeriveFromSalt.
- Inside the DeriveFromKey node enter your custom passphrase.
- Click the Import button.
When importing a passphrase a new salt will be generated, combined with your key, and protected using the top-level encryption provider. Therefore after import you will no longer see your plaintext passphrase in the XML.
What to Expect
Whenever new passwords are stored in the AMS database (LSS User Passwords, configured User Credentials, etc.) they will encrypted using the selected encryption provider.